Re: [mod-security-users] POST value to allow but limit number of caracters
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] POST value to allow but limit number of caracters
|
From: Josh Amishav-Z. <ja...@ow...> - 2013-09-11 09:57:21
|
On Wed, Sep 11, 2013 at 11:53 AM, rewt rewt <re...@li...> wrote:
> Dear All,
>
> I am trying to do virtual patching (SQL Injection) on a backend
> application.
>
> The vulnerable param is in a URL called /script.pl and unfortunately it
> is in the password argument (over POST).
>
> So ModSecurity is working perfectly to patch the SQL injection except that
> passwords with special caracters are directly considered as SQL attack.
>
> My WAF is based on scoring, i am using ModSecurity 2.7 with CRS rules.
>
> My idea was to disable all rules for password= and activate one rule
> restricting the sent string to password= to only 10 or 12 caracters.
>
> Do you have an idea on how i can configure that, and if it is a good
> solution ? (real patching is not possible on that application).
>
>
Hi David,
You could use the SecRuleUpdateTargetByTag directive and then cycle through
the tags to quickly disable all rules for the password parameter.
Afterwards add a virtual patching rule to ensure that the parameter is
10-12 characters long via either a regex or the length transformation
function. For example:
SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!ARGS:password"
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!ARGS:password
...
SecRule ARGS:password ^.{10,12}$ "phase:2,id:1,t:none,deny,msg:'Password
value does not meet predefined length criteria'"
Having said that, have you looked at simply whitelisting the offending
rules via the SecRuleUpdateTargetById directive instead? This way you can
still benefit from the CRS while disabling only the ones that are actually
creating false positives.
--
- Josh
>
> Thank you in advance
>
> Kind regards
>
> David R
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
|
