The Js code used was from the older OWASP CSRFGuard project.  It has some limitations (like it doesn't handle XHR requests, etc… but it was essentially self-contained and easy to modify to have ModSecurity used macro expansion along with the append action to add in the appropriate token data.

I have had it on the back-burner for quite some time to look at the new OWASP CSRFGuard code to see if we use it similarly - https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard/src/main/resources/csrfguard.js.  It is more robust and can handle XHR calls but I also think it will more difficult to quickly port over for use in ModSecurity.  If anyone wants to take a crack at it, feel free :)

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


From: Francis Hitchens <fhitchen@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Friday, June 6, 2014 12:52 PM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] CSRF with Apache 2.4.9 and Mod_security 2.8

Christian,

Thanks it was all my fault, I had removed modsecurity_crs_16_session_hijacking.conf as it was triggering for some other reason which seems to have gone away.

Now I have CSRF JS injection working quite nicely.

How mature is the Javascript though? The isHttpLink function returns false for an HTTP link and will add a CSRF token to HREF's like "#" and "javascript:doSomething()" which breaks the page.

regards, Francis.


On Fri, Jun 6, 2014 at 12:16 AM, Christian Folini <christian.folini@time-machine.ch> wrote:
Hello Francis,

These rules are quite difficult to work with. I am currently working
on a project, where we have to resort to CSRF token injection too.

I got them to work but it took some site-specific tweaking. You need
to dig into it and go through the rules one by one.

Try to work with the developer tools of your browser and look at the
http traffic there. Personally, I use curl and execute one request
after the other and check to see if the CSRF rules behave exactly
as I want them to.

Temporarily, I added more comments into the rules themselves to get
infos via the error-log. Also a
SecAction ... msg:"Checkpoint X" ...
here and there.

One of the problems I had was that the application would send out
multiple sessionids like a zealot. This messed up the session store and
the client, as the injected token did not match the sessionid the
client settled on. I had to tell apache how to filter out the non-needed
Set-Cookie headers first. Other issues resemble this one.

Under the line: This is really cool. But the tweaking of a broken
application can be difficult. The amount of knowledge you gain
along the way is impressive.

To address your problem directly: The rule is not triggered:

> [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Rule
> returned 0.

This means that "&SESSION:CSRF_TOKEN" is not equal one. This means that
the session store does not (yet) have a CSRF_TOKEN. You need to get this
to work in a consistent way first.

Cheers,

Christian


On Thu, Jun 05, 2014 at 06:30:30PM -0500, Francis Hitchens wrote:
> Hi,
>
> I'm trying to get the csrf rules to work with Apache 2.4.9 and mod_security.
>
> They are not working consistently, sometimes the Javascript is appended,
> other times not. I have not been able to work out any pattern to this
> inconsistency.
>
> In the debug log I see the rule being triggered...
>
> [05/Jun/2014:17:44:19 --0500]
> [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][5] Rule
> 231c738: SecRule "&SESSION:CSRF_TOKEN" "@eq 1"
> "phase:4,auditlog,id:981145,t:none,nolog,pass,append:'<html><script
> language=\"JavaScript\"> var tokenName = 'CSRF_TOKEN'; var tokenValue =
> '%{session.csrf_token}'; \rfunction updateTags() {         var all =
> document.all ? document.all : document.getElementsByTagName('*');
> var len = all.length;         for(var i=0; i<len; i++) {
> var e = all[i];                                 updateTag(e, 'src');
>           updateTag(e, 'href');         } } \rfunction updateForms() {
>     var forms = document.getElementsByTagName('form');
>     for(i=0; i<forms.length; i++) {                 var html =
> forms[i].innerHTML;                                 html += '<input
> type=hidden name=' + tokenName + ' value=' + tokenValue + ' />';
>       forms[i].innerHTML = html;         } } \rfunction updateTag(element,
> attr) {         var location = element.getAttribute(attr);
> if(location != null && location != '' && i
> [05/Jun/2014:17:44:19 --0500]
> [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4]
> Transformation completed in 1 usec.
> [05/Jun/2014:17:44:19 --0500]
> [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Executing
> operator "eq" with param "1" against &SESSION:CSRF_TOKEN.
> [05/Jun/2014:17:44:19 --0500]
> [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Operator
> completed in 1 usec.
> [05/Jun/2014:17:44:19 --0500]
> [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Rule
> returned 0.
> [05/Jun/2014:17:44:19 --0500]
> [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Output
> filter: Output forwarding complete.
>
> but often nothing appears in the browser. Then sometimes it does.
>
> Also if the LocationMatch is set to .* everything (.js, .css .jpg .ico)
> triggers the rule even though the directive says
>
> SecResponseBodyMimeType text/plain text/html text/xml
>
> I have to explicity match .*\.do|.*\.jsp
>
> Any ideas?
>
> Regards, fjh.

> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech

> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.