Re: [mod-security-users] Verifying credit cards
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Verifying credit cards
|
From: Ryan B. <Rya...@Br...> - 2008-01-10 22:11:03
|
As a reference, did you see the recent Blog post by Ofer on Detecting Credit Card Numbers in Network Traffic - http://www.modsecurity.org/blog/archives/2008/01/detecting_credi.html =20 A few comments - =20 * You are correct in that if you want to identify/block outbound payloads that have CC #s, then you do need run your rules in phase:4 (response body). * You can use RegExs to help attempt to identify CC however that alone will still yield some false positives. I have run into this issue quite a lot during the WASC distributed open proxy honeypot project. Sites that use Google's Ad-client javascript code, for example, will often match a CC RegEx (as mentioned in Ofer's Blog post). * Ofer's Blog post also mentions doing a Luhn check, however keep in mind that still 1 out of 10 #s will still return true... * You could run an "exec" action to have an external script run the Luhn check against the data. =20 FYI - we (Breach) have addressed this issue in our commercial Enhanced Rule set by including an additional module to create a new @verifyCC operator that will run the Luhn check against the captured CC RegEx matches. =20 Hope this helps. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Matthew Tice Sent: Thursday, January 10, 2008 4:44 PM To: mod...@li... Subject: [mod-security-users] Verifying credit cards =20 Hello,=20 I'm trying to setup something to verify that credit card numbers are not returned (phase 4 I believe). Easily enough I can setup a regex to verify - but that could lead to false positives. I know that you can execute an external script when you get a match, but can you then get the results of that external script?=20 I'd just like to run a Luhn check on the number, if it comes back positive then I'll react, otherwise I'll let it through. Any help is appreciated. Thanks, Matt |
