Re: [mod-security-users] Password Sanitization in Request Body
Brought to you by:
victorhora,
zimmerletw
From: Steve S. <ste...@gm...> - 2013-10-09 19:10:49
|
Thanks! I came up with this rule: SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'" But am receiving this error: Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf: SecRule takes two or three arguments, rule target, operator and optional action list On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: > On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker < > ste...@gm...> wrote: > >> Thanks I saw that and it looks great but I can't implement it on a prod >> environment. >> >> Right now I'm toying with: >> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" >> >> But i'm not sure how to replace the matched value with the character * >> >> > Hi Steve, > > I think the only current solution is to use the ctl action to remove > logging the request body entirely if it holds sensitive data. Kind of an > all or nothing approach until the patch makes its way into the stable > branch. > > -- > - Josh > > >> >> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote: >> >>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker < >>> ste...@gm...> wrote: >>> >>>> I'll answer my own question. The body has JSON which is not processed >>>> by sanitiseArg. >>>> >>>> >>> Hi Steve, >>> >>> Not sure how stable this is yet, but take a look at: >>> https://www.modsecurity.org/tracker/browse/MODSEC-253 >>> Perhaps with the patch you could use santiseMatched. >>> >>> -- >>> - Josh >>> >>> >>>> >>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker < >>>> ste...@gm...> wrote: >>>> >>>>> I am unable to sanitize a password in the request body. >>>>> >>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"} >>>>> >>>>> >>>>> What i've tried: >>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password" >>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password" >>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched >>>>> >>>>> Any suggestions? >>>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>> most from >>>> the latest Intel processors and coprocessors. See abstracts and >>>> register > >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |