Re: [mod-security-users] Blocking (partly) HTTP Parameter Pollution
Brought to you by:
victorhora,
zimmerletw
From: Stephen C. E. <ste...@gm...> - 2009-06-16 11:01:05
|
Hi Marc, It's dead easy with Lua script but you will have to do the legwork and find the bits from my project, https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project. For example, from the file 'rewards-request_03-5.lua', here is an excerpt (cleaned up a bit): local d = m.getvars("ARGS"); -- can also use 'ARGS_POST' -- Loop through the parameters. for i = 1, #d do -- Examine parameter value. d[i].name, d[i].value, if (string.find(d[i].name, "check")) then if d[i].value == "on" then -- modify and add code here end end end You should get the idea... add each 'name' to an array; when processing a new name/value pair, see if the name is in the array and block if yes. Stephen [Drum-roll here: Ready for Ryan to step in with a super-duper legacy solution :-)] -- http://www.linkedin.com/in/stephencraigevans On Tue, Jun 16, 2009 at 5:39 PM, Marc Stern<mar...@ap...> wrote: > Information about a particular case of HTTP Parameter Pollution - > duplicate arguments - is described here: > http://www.securityfocus.com/archive/1/504240/30/0/threaded > > Do anyone sees how to find duplicate argument names, without knowing the > names in advance? > The goal is to forbid, for GET & POST, two arguments with the same name > > I tried to play with chained rules, but I would need recursive macro > expansion, like "TX:%{TX:...}" > > Thanks > > Marc > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > -- http://www.linkedin.com/in/stephencraigevans |