Re: [mod-security-users] mod_security enhancement idea
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security enhancement idea
|
From: Ryan B. <rcb...@gm...> - 2006-04-12 01:44:54
|
On 4/11/06, joe barbish <joe...@ya...> wrote:
> I changed the field lengh to their real size and the test worked.
>
> SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
> SecFilterSelective POST_PAYLOAD
> "^id=3D[0-9a-z]{15,}&pw=3D[0-9a-z]{15,}&userdigit=3D[0-9a-z]{5,}&submit=
=3DSubmit$"
> allow
>
>
Cool.
>
> On my membership signup form I have 20 fields and I want to use the same
> coding format for them. IE using the chain and POST_PAYLOAD. Is there som=
e
> way to code the POST_PAYLOAD statement to continue onto next line so it
> would be easy to read 20 fields. Some thing like this
>
> SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
> SecFilterSelective POST_PAYLOAD "^id=3D[0-9a-z]{15,}
> &pw=3D[0-9a-z]{15,}
> &userdigit=3D[0-9a-z]{5,}&submit=3DSubmit$" allow
>
For ease of following the regular expression, you can use the "\" character
to continue the expression on the next line, like this -
SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
SecFilterSelective POST_PAYLOAD "^id=3D[0-9a-z]{15,} \
&pw=3D[0-9a-z]{15,} \
&userdigit=3D[0-9a-z]{5,}&submit=3DSubmit$" allow
>
> How would I code the POST_PAYLOAD "^email=3D[0-9a-zA-Z]{45,} to include .=
_
> - as allowable characters or the POST_PAYLOAD "^add1=3D[0-9a-zA-Z]{45,} =
to
> include a dash and a blank as allowable characters?
>
Like this, assuming that this data is on separate lines (since you are usin=
g
the "^" anchor ) -
SecFilterSelective POST_PAYLOAD "^email=3D[0-9a-zA-Z\.-_]{45,}" allow
SecFilterSelective POST_PAYLOAD "^add1=3D[0-9a-zA-Z- ]{45,}" allow
If these are all on one line together, then you will need to include it wit=
h
the others like this -
SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
SecFilterSelective POST_PAYLOAD "^id=3D[0-9a-z]{15,} \
&pw=3D[0-9a-z]{15,} \
&userdigit=3D[0-9a-z]{5,} \
&email=3D[0-9a-zA-Z\.-_]{45,} \
&add1=3D[0-9a-zA-Z- ]{45,} \
&submit=3DSubmit$" allow
>
> And thanks for your wonderful help. I would have never been able to get
> this from the manual.
>
No problem. When I was new to mod_security, Ivan was kind enough to answer
all of my questions, so I am just "paying it forward" ;) Sorry for the
cheesy movie reference but it was the first thing that came to mind.
-Ryan
*Ryan Barnett <rcb...@gm...>* wrote:
>
> On 4/11/06, joe barbish <joe...@ya...> wrote:
>
> > No Ryan that did not work. debug log shows this
> >
> > Checking signature "^/mls_fsbo_logon.php$" at REQUEST_URI
> > Checking against "/mls_fsbo_logon.php"
> > Signature check returned 403
> > Chained rule with match, continue in the loop
> > Checking against "id=3Djones1&pw=3Dbob888&userdigit=3Dvmiis&submit=3DS=
ubmit"
> >
>
>
> Ahh... the line above helps. It shows what the expected format of the
> POST_PAYLOAD is.
>
>
>
>
> > Signature check returned 404
> > Access denied with code 404. Pattern match
> > "!^(id|pw|userdigit)=3D[0-9a-z]$" at POST_PAYLOAD.
> > Rule match, returning code 404
> >
> > Im thinking this may work
> >
> > SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
> > SecFilterSelective POST_PAYLOAD "^(id|pw|userdigit)=3D[0-9a-z]$" allow
> >
> > Notice no ! and allow added at end
> >
> > What do you think?
> >
>
>
> This should work (including size restrictions of the values to 20
> characters or less) -
>
> SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
> SecFilterSelective POST_PAYLOAD
> "^id=3D[0-9a-z]{20,}&pw=3D[0-9a-z]{20,}&userdigit=3D[0-9a-z]{20,}&submit=
=3DSubmit$"
> allow
>
> See if this works. You can test it by submitting data other than letters
> or numbers and also input > 20 characters. These should be blocked.
>
> - Ryan
>
>
> >
> >
> >
> >
> > *Ryan Barnett <rcb...@gm...>* wrote:
> >
> > On 4/11/06, joe barbish <joe...@ya... > wrote:
> > >
> > >
> > > So question is the following code correct.
> > >
> > > SecFilterSelective REQUEST_URI "^/mls_fsbo_signup.php$" allow
> > > plus
> > > SecFilterSelective POST_PAYLOAD "(^id=3D[0-9a-z]$)"
> > > allow plus
> > > SecFilterSelective POST_PAYLOAD "(^pw=3D[0-9a-z]$)" al=
low
> > > plus
> > > SecFilterSelective POST_PAYLOAD "(^userdigit=3D[0-9a-z]$)" all=
ow
> > >
> > >
> >
> > "plus" is not a valid mod_security action. I would suggest that you us=
e
> > this directive -
> >
> > SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
> > SecFilterSelective POST_PAYLOAD "!^(id|pw|userdigit)=3D[0-9a-z]$"
> >
> >
> > This should work. Test it out and let me know.
> >
> > -Ryan
> >
> >
> > >
> > ------------------------------
> > How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call
> > rates.
> > <http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.c=
om/evt=3D39663/*http://voice.yahoo.com>
> >
>
>
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>
> ------------------------------
> How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call
> rates.
> <http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.com=
/evt=3D39663/*http://voice.yahoo.com>
>
>
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
|
