Re: [mod-security-users] Syntax error for rule by trustwave
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Syntax error for rule by trustwave
|
From: Christian F. <chr...@ne...> - 2019-10-09 13:24:13
|
Homesh, This is a very old recipe and I doubt it will work out of the box. But you can always try. If I was to setup a similar thing, I would easily spend a day or more on tweaking and debugging. Good luck! ... and please report back with your experience. We're all curious to learn about real world uses of the more advanced ModSec features. Cheers, Christian On Wed, Oct 09, 2019 at 06:42:44PM +0530, homesh joshi wrote: > Hi Christian, > > Thanks for the quick reply. > > I am trying to implement rules mentioned here > <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-advanced-topic-of-the-week-detecting-browser-fingerprint-changes-during-sessions/> > > Here are the all the rules. > > #Step1 > ## This rule will identify the outbound Set-Cookie SessionID data and > capture it in a setsid# > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: > tx.ua=%{request_headers.user-agent}" > SecRule UNIQUE_ID "(.*)" > "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" > > #Step 2 > SecContentInjection On > SecStreamOutBodyInspection On > SecResponseBodyAccess On > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none,pass" > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" > "chain,t:none,nolog" > SecRule &SESSION:KEY "@eq 1" "chain" > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script > type=\"text\/javascript\" > src=\"https\:\/\/www.abc123.com\/client.min.js\"><\/script>|0A|<\/body>/" > "capture,setvar:session.fingerprint_code_sent=1" > #Step 3 > ## -=[ Save the initial Browser Fingerprint Hash in the Session Collection > ]=-# > SecRule &SESSION:BROWSER_HASH "@eq 0" > "chain,id:'881803',phase:1,t:none,nolog,pass" > SecRule REQUEST_COOKIES:BROWSER_HASH ".*" > "setvar:session.browser_hash=%{matched_var}" > > #Step 4 > ## -=[ If Browser Fingerprint JS was sent previously, then enforce the # > existence of the browser_hash Cookie field. ]=-# > SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" > "chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering > Cookie Missing.'" > SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0" > SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" > "chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering > Cookie Mismatch.',logdata:'Expected Browser Fingerprint: > %{session.browser_hash}. Browser Fingerprint Received: > %{request_cookies.browser_hash}'" > SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain" > SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}" > > Thanks, > Homesh > > > On Wed, Oct 9, 2019 at 5:46 PM Christian Folini <chr...@ne...> > wrote: > > > Hello Homesh, > > > > You do not have the code to inject the JS into the response. At least not > > in > > the rule snippet you provided. > > > > The last time I checked the whole CSRF injection and testing stuff, it was > > broken. But that was like 2 years ago. > > > > If the rule snippet you listed has a problem, then I would enable the > > DebugLog > > and follow the execution of this rule closely. It's a very complex rule an > > a > > lot can go wrong here. > > > > Cheers, > > > > Christian > > > > > > On Wed, Oct 09, 2019 at 05:35:16PM +0530, homesh joshi wrote: > > > Hi, > > > Now when I am testing the rule against the website I think the first rule > > > is not getting triggered. > > > > > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > > > > > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > > > > > "chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:' > > > tx.ua=%{request_headers.user-agent}' " > > > SecRule UNIQUE_ID "(.*)" > > > "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" > > > > > > This should trigger as the response header set-cookie is present in the > > > response with PHPSESSID > > > e.g > > > A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie > > > Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/ > > > > > > Not sure why it is not working. I don't see second rule injecting the JS > > > and I think it is because first rule is not getting triggered which > > should > > > capture "setsid" > > > > > > Please help. > > > > > > Thanks, > > > Homesh > > > > > > On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote: > > > > > > > Hi Homesh, > > > > > > > > > > > > On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote: > > > > > > > > > > here is is the final thing that worked for me. Now I am testing the > > rule > > > > > for various conditions. > > > > > > > > good to see, > > > > > > > > > #Step1 > > > > > ## This rule will identify the outbound Set-Cookie SessionID data and > > > > capture it in a setsid# > > > > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > > > > > > > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > > > > > > "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: > > > > tx.ua=%{request_headers.user-agent}" > > > > > > > > just my 2 cents: you would better to use the actions that you > > > > quote its arguments, eg: > > > > > > > > setvar:'tx.ua=%{request_headers.user-agent}' > > > > > > > > It's not mandatory, but more clear. > > > > > > > > > > > > > > > > a. > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
