Re: [mod-security-users] Hidden Fields
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Hidden Fields
|
From: Ivan R. <iv...@we...> - 2006-02-26 10:22:55
|
Markus Rietzler wrote: > Ivan Ristic schrieb: >> Diego Pellegrino wrote: >>> Using mod_security, how can i prevent that users change forms parameters >>> in POST requests? is it possible? >> Not possible, unless your hidden form field value is constant (probably >> not the case). >> >> There's some chance this will be supported in the next release. >> > ... > i think mod_security could not really help with this problem. only if you use > an output-filter that checks for type=hidden and compute md5-hashes... Exactly. Intercept outgoing forms, identify hidden fields, for every hidden field found generate another that contains a signature of the content. The same approach can be used to protect the cookies. > 2) another > way would be to use md5-hashes for hidden fields. compute md5-hashes of each > or all hidden fields and send it also as hidden field. so you can recompute > the hash and check whether values have changed or not. Note that hashing alone isn't sufficient because it's trivial for the attacker to recompute the hash. You have to encrypt the hash too. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
