[mod-security-users] CSRF Protection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] CSRF Protection
|
From: Chris D. <chr...@gm...> - 2010-03-23 15:16:11
|
I'm trying to implement CSRF protection in an app based on Ryan's example
from the WAF Patching Challenge Whitepaper. My app uses a dynamic session
token name where only the first four characters (SESS) are static. An
example cookie name is:
SESSbe7bfb0d134fa57e567359f4e62cf41d
The problem I have is how to implement this rule:
SecRule &ARGS "@ge 1" "chain,phase:2,t:none,deny,log,msg:'CSRF Attack
Detected -
Invalid Token.'"
SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies.jsessionid}"
How do I compare MODSEC_CSRF_TOKEN to a cookie name where I only know the
the first four characters. I tried:
SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies./^SESS/}
but that obviously didn't work. Any ideas how I can do this?
Thanks
Chris
|
