Re: [mod-security-users] Syntax error for rule by trustwave

[homesh j. <ho...@gm...>]

Hi Christian,

Thanks for the quick reply.

I am trying to implement rules mentioned here
<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-advanced-topic-of-the-week-detecting-browser-fingerprint-changes-during-sessions/>

Here are the all the rules.

#Step1
## This rule will identify the outbound Set-Cookie SessionID data and
capture it in a setsid#
SecRule RESPONSE_HEADERS:/Set-Cookie2?/
"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
"chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
tx.ua=%{request_headers.user-agent}"
SecRule UNIQUE_ID "(.*)"
"t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"

#Step 2
SecContentInjection On
SecStreamOutBodyInspection On
SecResponseBodyAccess On
SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none,pass"
SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html"
"chain,t:none,nolog"
SecRule &SESSION:KEY "@eq 1" "chain"
SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script
type=\"text\/javascript\"
src=\"https\:\/\/www.abc123.com\/client.min.js\"><\/script>|0A|<\/body>/"
"capture,setvar:session.fingerprint_code_sent=1"
#Step 3
## -=[ Save the initial Browser Fingerprint Hash in the Session Collection
]=-#
SecRule &SESSION:BROWSER_HASH "@eq 0"
"chain,id:'881803',phase:1,t:none,nolog,pass"
SecRule REQUEST_COOKIES:BROWSER_HASH ".*"
"setvar:session.browser_hash=%{matched_var}"

#Step 4
## -=[ If Browser Fingerprint JS was sent previously, then enforce the #
  existence of the browser_hash Cookie field. ]=-#
SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1"
"chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering
Cookie Missing.'"
SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0"
SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1"
"chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering
Cookie Mismatch.',logdata:'Expected Browser Fingerprint:
%{session.browser_hash}. Browser Fingerprint Received:
%{request_cookies.browser_hash}'"
SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain"
SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}"

Thanks,
Homesh


On Wed, Oct 9, 2019 at 5:46 PM Christian Folini <chr...@ne...>
wrote:

> Hello Homesh,
>
> You do not have the code to inject the JS into the response. At least not
> in
> the rule snippet you provided.
>
> The last time I checked the whole CSRF injection and testing stuff, it was
> broken. But that was like 2 years ago.
>
> If the rule snippet you listed has a problem, then I would enable the
> DebugLog
> and follow the execution of this rule closely. It's a very complex rule an
> a
> lot can go wrong here.
>
> Cheers,
>
> Christian
>
>
> On Wed, Oct 09, 2019 at 05:35:16PM +0530, homesh joshi wrote:
> > Hi,
> > Now when I am testing the rule against the website I think the first rule
> > is not getting triggered.
> >
> > SecRule RESPONSE_HEADERS:/Set-Cookie2?/
> >
> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> >
> "chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:'
> > tx.ua=%{request_headers.user-agent}' "
> > SecRule UNIQUE_ID "(.*)"
> > "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
> >
> > This should trigger as the response header  set-cookie is present in the
> > response with PHPSESSID
> > e.g
> > A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie
> > Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/
> >
> > Not sure why it is not working. I don't see second rule injecting the JS
> > and I think it is because first rule is not getting triggered which
> should
> > capture "setsid"
> >
> > Please help.
> >
> > Thanks,
> > Homesh
> >
> > On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote:
> >
> > > Hi Homesh,
> > >
> > >
> > > On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote:
> > > >
> > > > here is is the final thing that worked for me. Now I am testing the
> rule
> > > > for various conditions.
> > >
> > > good to see,
> > >
> > > > #Step1
> > > > ## This rule will identify the outbound Set-Cookie SessionID data and
> > > capture it in a setsid#
> > > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ >
> > >
> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> > >
> "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
> > > tx.ua=%{request_headers.user-agent}"
> > >
> > > just my 2 cents: you would better to use the actions that you
> > > quote its arguments, eg:
> > >
> > > setvar:'tx.ua=%{request_headers.user-agent}'
> > >
> > > It's not mandatory, but more clear.
> > >
> > >
> > >
> > > a.
> > >
> > >
> > >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> > >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>