Re: [mod-security-users] Tokens?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Tokens?
|
From: Christian M. <cma...@is...> - 2005-05-03 11:16:38
|
Ivan Ristic wrote:
> Christian Martorella wrote:
>
>> Hi, i was looking others Application firewalls and i saw that some of=20
>> them use tokens to sign forms or variables with a hash.
>
>
> Can you be more specific? What are they signing? The hidden fields,
> the names of the fields?
>
>
What you sign with a hash is the values of the hidden fields, or the=20
values of the URL parameters.
For example if you have=20
=20
<input name=3D"year" type=3D"hidden"=20
value=3D"1984?MSEC=3DOurhashOurhashOurHash">
So if someone change 1984 to 1982, when you recalculate the hash for=20
year it will be different and you deny the request.
I know this would bring more performance issues, but it will be good for=20
Parameter Tampering, Cookie Tampering, and all tampering that could be do=
ne.
>> There are plans to implement this on Mod_Security? or there is=20
>> someone already working on it?
>
>
> No. I am not convinced such feature would have significant value in
> real life. I can see how it can help in a specific case (e.g. when
> someone has an app with a hidden field that should never change). But
> I do not think it can work as a generic protection measure people can
> turn on and forget about it. In this day and age many applications ar=
e
> creating forms dynamically at runtime, and using JavaScript to change
> the values in the hidden fields.
>
Maybe you are right, but what about cookies? or session Ids? or url=20
parameters that if you change a value you will be take to a private zone=20
for example..? My examples are for badly designed applications
that a company couldnt secure.
I just was seeing what other Application Firewalls were doing, and i=20
found this functionality.
Cheers!
--=20
_________________________________
Christian Martorella
e-Security Engineer
cma...@is...
Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2=BA 1=AA.
08030 Barcelona
Tel: 93 305 13 18
Fax: 93 278 22 48
www.isecauditors.com
____________________________________
Este mensaje y los documentos que, en su caso lleve anexos, pueden
contener informaci=F3n confidencial. Por ello, se informa a quien lo
reciba por error que la informaci=F3n contenida en el mismo es reservada
y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal
caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono
(93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo
o entregarlo a otra persona y proceda a borrarlo de inmediato.
En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de
protecci=F3n de datos de car=E1cter personal, Internet Security Auditors
S.L., le informa de que sus datos personales se han incluido en
ficheros informatizados titularidad de Internet Security Auditors
S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida=
d
exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n
comercial, y de que tiene la posibilidad de ejercer los derechos de
acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley
mediante carta dirigida a Internet Security Auditors, c. Santander,
101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente
direcci=F3n de correo: le...@is...
|
