Re: [mod-security-users] CSRF support in modsecurity + Nginx
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] CSRF support in modsecurity + Nginx
|
From: Madhumita M. <ma...@ap...> - 2014-03-24 16:56:23
|
Thanks Ryan for the reply
But i am not sure how i can make use of that in "optional_rules/modsecurity_
crs_43_csrf_protection.conf"
If i replace <LocationMatch .*> in "optional_rules/modsecurity_
crs_43_csrf_protection.conf" with location
Now i get this error .."Unknown command in config: location "
Below given is what i did .Please correct and guide me how i should use the
same
#<LocationMatch .*>
location ~* {
SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF
Attack Detected - Missing CSRF Token.'"
SecRule &ARGS:CSRF_TOKEN "!@eq 1"
"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"
SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF
Attack Detected - Invalid Token.'"
SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}"
"setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"
#
# This rule will use Content Injection to append the CSRF Token
#
SecRule &SESSION:CSRF_TOKEN "@eq 1"
"phase:4,id:'981145',t:none,nolog,pass,append:'<html><script
language=\"JavaScript\"> \
\
var tokenName = \'CSRF_TOKEN\'; \
var tokenValue = \'%{session.csrf_token}\'; \
\
function updateTags() { \
\
var all = document.all ? document.all :
document.getElementsByTagName(\'*\'); \
var len = all.length; \
modsecurity rules goes here
.
.
.
*}*
#</LocationMatch>
Regards
Madhumitha
On Mon, Mar 24, 2014 at 9:52 PM, Ryan Barnett <RBa...@tr...>wrote:
> Madhumitha,
> You are correct - that rules file uses Apache-specific <LocationMatch>
> directives. The idea is that you don't want to inject anti-CSRF tokens
> into all responses. This allows the user to defined directories, etc..
> Where they want to use it.
>
> If you are running on Nginx - you should be able to use the Location
> directive syntax here - http://wiki.nginx.org/HttpCoreModule#location
>
> *Ryan Barnett*
>
> Lead Security Researcher, SpiderLabs
>
>
>
> *Trustwave* | SMART SECURITY ON DEMAND
>
> www.trustwave.com
>
>
> From: Madhumita Mitha <ma...@ap...>
> Reply-To: "mod...@li..." <
> mod...@li...>
> Date: Monday, March 24, 2014 9:22 AM
> To: "mod...@li..." <
> mod...@li...>
> Subject: [mod-security-users] CSRF support in modsecurity + Nginx
>
> Hi
>
> I am using nginx 1.4 and modsecurity 2.7.7
>
> Apart from the base rules I am trying to use the
> "optional_rules/modsecurity_crs_43_csrf_protection.conf" in nginx.
>
> But when i start the nginx with the above said rules i get the following
> error "Unknown command in config: <LocationMatch " and the nginx refuses
> to start
>
>
> When i did searched for the info, one of the sites says the
> LocationMatch(Apache directive) support is not there for IIS and it will be
> provided shortly
>
> http://atomicorp.com/forums/viewtopic.php?f=14&t=6975
>
> Does this hold true for nginx as well ?
>
> And if i comment out LocationMatch, nginx starts properly and if i do so
> then i fear i may not be able to add the CSRF support with nginx+modsecurity
>
> Or is it any particular segment that i can comment out in the file
> "optional_rules/modsecurity_crs_43_csrf_protection.conf" and add CSRF
> support
>
>
> Please help
>
>
> Regards
> Madhumitha
>
> .
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
|
