Re: [mod-security-users] Password Sanitization in Request Body
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Password Sanitization in Request Body
|
From: Steve S. <ste...@gm...> - 2013-10-09 19:10:49
|
Thanks!
I came up with this rule:
SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"
"phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'"
But am receiving this error:
Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf:
SecRule takes two or three arguments, rule target, operator and optional
action list
On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <ja...@ow...>wrote:
> On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker <
> ste...@gm...> wrote:
>
>> Thanks I saw that and it looks great but I can't implement it on a prod
>> environment.
>>
>> Right now I'm toying with:
>> SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"
>>
>> But i'm not sure how to replace the matched value with the character *
>>
>>
> Hi Steve,
>
> I think the only current solution is to use the ctl action to remove
> logging the request body entirely if it holds sensitive data. Kind of an
> all or nothing approach until the patch makes its way into the stable
> branch.
>
> --
> - Josh
>
>
>>
>> On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <ja...@ow...>wrote:
>>
>>> On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker <
>>> ste...@gm...> wrote:
>>>
>>>> I'll answer my own question. The body has JSON which is not processed
>>>> by sanitiseArg.
>>>>
>>>>
>>> Hi Steve,
>>>
>>> Not sure how stable this is yet, but take a look at:
>>> https://www.modsecurity.org/tracker/browse/MODSEC-253
>>> Perhaps with the patch you could use santiseMatched.
>>>
>>> --
>>> - Josh
>>>
>>>
>>>>
>>>> On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker <
>>>> ste...@gm...> wrote:
>>>>
>>>>> I am unable to sanitize a password in the request body.
>>>>>
>>>>> --2a688459-C-- {"username":"someuser","password":"somepassword"}
>>>>>
>>>>>
>>>>> What i've tried:
>>>>> SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password"
>>>>> SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password"
>>>>> SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched
>>>>>
>>>>> Any suggestions?
>>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> October Webinars: Code for Performance
>>>> Free Intel webinars can help you accelerate application performance.
>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>>>> most from
>>>> the latest Intel processors and coprocessors. See abstracts and
>>>> register >
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> October Webinars: Code for Performance
>>> Free Intel webinars can help you accelerate application performance.
>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>>> from
>>> the latest Intel processors and coprocessors. See abstracts and register
>>> >
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
|