Re: [mod-security-users] [Owasp-modsecurity-core-rule-set] CSRF Protection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] [Owasp-modsecurity-core-rule-set] CSRF Protection
|
From: Junyong J. <dre...@gm...> - 2010-03-23 15:36:11
|
Good news. Can you share some information in advance:)
2010/3/23 Ryan Barnett <rya...@br...>
> On Tuesday 23 March 2010 11:16:03 Chris Datfung wrote:
> > I'm trying to implement CSRF protection in an app based on Ryan's example
> > from the WAF Patching Challenge Whitepaper. My app uses a dynamic session
> > token name where only the first four characters (SESS) are static. An
> > example cookie name is:
> >
> > SESSbe7bfb0d134fa57e567359f4e62cf41d
> >
> > The problem I have is how to implement this rule:
> >
> > SecRule &ARGS "@ge 1" "chain,phase:2,t:none,deny,log,msg:'CSRF Attack
> > Detected - Invalid Token.'"
> > SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies.jsessionid}"
> >
> > How do I compare MODSEC_CSRF_TOKEN to a cookie name where I only know the
> > the first four characters. I tried:
> >
> > SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies./^SESS/}
> >
> > but that obviously didn't work. Any ideas how I can do this?
> >
> > Thanks
> > Chris
>
> How appropriate as I was getting ready to send out some announcements soon
> that we will be
> migrating some of the commercial Enhanced Rule Set (ERS) items to the CRS
> and CSRF
> protection rules are one of them :)
>
> Once I add these rules to the CRS, I will send a note to the OWASP CRS
> mail-list with
> usage info.
>
> -Ryan
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owa...@li...
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
|
