Re: [mod-security-users] Syntax error for rule by trustwave
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Syntax error for rule by trustwave
|
From: Christian F. <chr...@ne...> - 2019-10-09 12:13:27
|
Hello Homesh,
You do not have the code to inject the JS into the response. At least not in
the rule snippet you provided.
The last time I checked the whole CSRF injection and testing stuff, it was
broken. But that was like 2 years ago.
If the rule snippet you listed has a problem, then I would enable the DebugLog
and follow the execution of this rule closely. It's a very complex rule an a
lot can go wrong here.
Cheers,
Christian
On Wed, Oct 09, 2019 at 05:35:16PM +0530, homesh joshi wrote:
> Hi,
> Now when I am testing the rule against the website I think the first rule
> is not getting triggered.
>
> SecRule RESPONSE_HEADERS:/Set-Cookie2?/
> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> "chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:'
> tx.ua=%{request_headers.user-agent}' "
> SecRule UNIQUE_ID "(.*)"
> "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
>
> This should trigger as the response header set-cookie is present in the
> response with PHPSESSID
> e.g
> A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie
> Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/
>
> Not sure why it is not working. I don't see second rule injecting the JS
> and I think it is because first rule is not getting triggered which should
> capture "setsid"
>
> Please help.
>
> Thanks,
> Homesh
>
> On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote:
>
> > Hi Homesh,
> >
> >
> > On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote:
> > >
> > > here is is the final thing that worked for me. Now I am testing the rule
> > > for various conditions.
> >
> > good to see,
> >
> > > #Step1
> > > ## This rule will identify the outbound Set-Cookie SessionID data and
> > capture it in a setsid#
> > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ >
> > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> > "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
> > tx.ua=%{request_headers.user-agent}"
> >
> > just my 2 cents: you would better to use the actions that you
> > quote its arguments, eg:
> >
> > setvar:'tx.ua=%{request_headers.user-agent}'
> >
> > It's not mandatory, but more clear.
> >
> >
> >
> > a.
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
