Thread: [mod-security-users] Syntax error for rule by trustwave
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: homesh j. <ho...@gm...> - 2019-10-01 07:46:48
|
Hi, I am trying to implement rules mentioned in the trustwave blog here <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-advanced-topic-of-the-week-detecting-browser-fingerprint-changes-during-sessions/>. But I get the below error when I do service apache2 reload. AH00526: Syntax error on line 13 of /etc/modsecurity/1234.conf: SecRule takes two or three arguments, rule target, operator and optional action list Action 'configtest' failed. Line # 13 is SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \ I was also getting the same error for below line which I commented out as I feel it is not that that useful. ## SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" Below is the entire file content #Step1 ## This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid# SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" "phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: tx.ua=%{request_headers.user-agent}" ## SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" #Step 2 SecContentInjection On SecStreamOutBodyInspection On SecResponseBodyAccess On SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \ SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" "chain,id:'881802',t:none,nolog,pass" \ SecRule &SESSION:KEY "@eq 1" "chain" \ SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/" "capture,setvar:session.fingerprint_code_sent=1" #Step 3 ## -=[ Save the initial Browser Fingerprint Hash in the Session Collection ]=-# SecRule &SESSION:BROWSER_HASH "@eq 0" "chain,id:'881803',phase:1,t:none,nolog,pass" SecRule REQUEST_COOKIES:BROWSER_HASH ".*" "setvar:session.browser_hash=%{matched_var}" #Step 4 ## -=[ If Browser Fingerprint JS was sent previously, then enforce the # existence of the browser_hash Cookie field. ]=-# #SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" "chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering Cookie Missing.'" SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0" #SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" "chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering Cookie Mismatch.',logdata:'Expected Browser Fingerprint: %{session.browser_hash}. Browser Fingerprint Received: %{request_cookies.browser_hash}'" \ #SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain" SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}" Please help me in understanding why I am getting the syntax error. My environment is Ubuntu 18.04 64 bit Apache 2.4.29 Modsecurity version 2.9.2 Thanks, Homesh |
|
From: Ervin H. <ai...@gm...> - 2019-10-01 08:50:08
|
Hi Homesh, On Tue, Oct 01, 2019 at 01:16:31PM +0530, homesh joshi wrote: > AH00526: Syntax error on line 13 of /etc/modsecurity/1234.conf: > SecRule takes two or three arguments, rule target, operator and optional > action list > Action 'configtest' failed. > > Line # 13 is > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \ yes, this is invalid. The "\" (backslash) char used to indicate to parser that the next line is part of the current. So, if you want to continue the list of actions, then it need, elsewhere you _can_not_ to place that. As I see your config, the next token is a new "SecRule" option, therefore this isn't the continuation of the previous line. May be you might be confused with the 'chain' action, which means "the next SecRule entity is a continuation of this", but that's totally different, than the backslash at the EOL. so, your rules: > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \ > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" "chain,id:'881802',t:none,nolog,pass" \ > SecRule &SESSION:KEY "@eq 1" "chain" > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/" "capture,setvar:session.fingerprint_code_sent=1" in the right form: > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" "chain,t:none,nolog,pass" > SecRule &SESSION:KEY "@eq 1" "chain" > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/" "capture,setvar:session.fingerprint_code_sent=1" also note, that you don't need to put the "id" with same value to the chained rule - I removed it. Hope this helps, a. |
|
From: homesh j. <ho...@gm...> - 2019-10-01 14:00:14
|
Hi Ervin,
Thanks a lot. Now I am clear on the use of \ and chain.
here is is the final thing that worked for me. Now I am testing the rule
for various conditions.
#Step1
## This rule will identify the outbound Set-Cookie SessionID data and
capture it in a setsid#
SecRule RESPONSE_HEADERS:/Set-Cookie2?/
"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
"chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
tx.ua=%{request_headers.user-agent}"
SecRule UNIQUE_ID "(.*)"
"t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
#Step 2
SecContentInjection On
SecStreamOutBodyInspection On
SecResponseBodyAccess On
SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none,pass"
SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html"
"chain,t:none,nolog"
SecRule &SESSION:KEY "@eq 1" "chain"
SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script
type=\"text\/javascript\"
src=\"https\:\/\/www.abc123.com\/client.min.js\"><\/script>|0A|<\/body>/"
"capture,setvar:session.fingerprint_code_sent=1"
#Step 3
## -=[ Save the initial Browser Fingerprint Hash in the Session Collection
]=-#
SecRule &SESSION:BROWSER_HASH "@eq 0"
"chain,id:'881803',phase:1,t:none,nolog,pass"
SecRule REQUEST_COOKIES:BROWSER_HASH ".*"
"setvar:session.browser_hash=%{matched_var}"
#Step 4
## -=[ If Browser Fingerprint JS was sent previously, then enforce the #
existence of the browser_hash Cookie field. ]=-#
SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1"
"chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering
Cookie Missing.'"
SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0"
SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1"
"chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering
Cookie Mismatch.',logdata:'Expected Browser Fingerprint:
%{session.browser_hash}. Browser Fingerprint Received:
%{request_cookies.browser_hash}'"
SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain"
SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}"
Thanks,
Homesh
On Tue, Oct 1, 2019 at 2:24 PM Ervin Hegedüs <ai...@gm...> wrote:
> Hi Homesh,
>
> On Tue, Oct 01, 2019 at 01:16:31PM +0530, homesh joshi wrote:
>
> > AH00526: Syntax error on line 13 of /etc/modsecurity/1234.conf:
> > SecRule takes two or three arguments, rule target, operator and optional
> > action list
> > Action 'configtest' failed.
> >
> > Line # 13 is
> > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \
>
> yes, this is invalid. The "\" (backslash) char used to indicate to
> parser that the next line is part of the current. So, if you want
> to continue the list of actions, then it need, elsewhere you
> _can_not_ to place that.
>
> As I see your config, the next token is a new "SecRule" option,
> therefore this isn't the continuation of the previous line.
>
> May be you might be confused with the 'chain' action, which means
> "the next SecRule entity is a continuation of this", but that's
> totally different, than the backslash at the EOL.
>
> so, your rules:
>
> > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \
> > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html"
> "chain,id:'881802',t:none,nolog,pass" \
> > SecRule &SESSION:KEY "@eq 1" "chain"
> > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script
> type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/"
> "capture,setvar:session.fingerprint_code_sent=1"
>
> in the right form:
>
> > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none"
> > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html"
> "chain,t:none,nolog,pass"
> > SecRule &SESSION:KEY "@eq 1" "chain"
> > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script
> type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/"
> "capture,setvar:session.fingerprint_code_sent=1"
>
> also note, that you don't need to put the "id" with same value to
> the chained rule - I removed it.
>
>
>
> Hope this helps,
>
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Ervin H. <ai...@gm...> - 2019-10-01 14:40:21
|
Hi Homesh,
On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote:
>
> here is is the final thing that worked for me. Now I am testing the rule
> for various conditions.
good to see,
> #Step1
> ## This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid#
> SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:tx.ua=%{request_headers.user-agent}"
just my 2 cents: you would better to use the actions that you
quote its arguments, eg:
setvar:'tx.ua=%{request_headers.user-agent}'
It's not mandatory, but more clear.
a.
|
|
From: homesh j. <ho...@gm...> - 2019-10-09 12:05:37
|
Hi,
Now when I am testing the rule against the website I think the first rule
is not getting triggered.
SecRule RESPONSE_HEADERS:/Set-Cookie2?/
"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
"chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:'
tx.ua=%{request_headers.user-agent}' "
SecRule UNIQUE_ID "(.*)"
"t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
This should trigger as the response header set-cookie is present in the
response with PHPSESSID
e.g
A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie
Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/
Not sure why it is not working. I don't see second rule injecting the JS
and I think it is because first rule is not getting triggered which should
capture "setsid"
Please help.
Thanks,
Homesh
On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote:
> Hi Homesh,
>
>
> On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote:
> >
> > here is is the final thing that worked for me. Now I am testing the rule
> > for various conditions.
>
> good to see,
>
> > #Step1
> > ## This rule will identify the outbound Set-Cookie SessionID data and
> capture it in a setsid#
> > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ >
> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
> tx.ua=%{request_headers.user-agent}"
>
> just my 2 cents: you would better to use the actions that you
> quote its arguments, eg:
>
> setvar:'tx.ua=%{request_headers.user-agent}'
>
> It's not mandatory, but more clear.
>
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Christian F. <chr...@ne...> - 2019-10-09 12:13:27
|
Hello Homesh,
You do not have the code to inject the JS into the response. At least not in
the rule snippet you provided.
The last time I checked the whole CSRF injection and testing stuff, it was
broken. But that was like 2 years ago.
If the rule snippet you listed has a problem, then I would enable the DebugLog
and follow the execution of this rule closely. It's a very complex rule an a
lot can go wrong here.
Cheers,
Christian
On Wed, Oct 09, 2019 at 05:35:16PM +0530, homesh joshi wrote:
> Hi,
> Now when I am testing the rule against the website I think the first rule
> is not getting triggered.
>
> SecRule RESPONSE_HEADERS:/Set-Cookie2?/
> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> "chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:'
> tx.ua=%{request_headers.user-agent}' "
> SecRule UNIQUE_ID "(.*)"
> "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
>
> This should trigger as the response header set-cookie is present in the
> response with PHPSESSID
> e.g
> A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie
> Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/
>
> Not sure why it is not working. I don't see second rule injecting the JS
> and I think it is because first rule is not getting triggered which should
> capture "setsid"
>
> Please help.
>
> Thanks,
> Homesh
>
> On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote:
>
> > Hi Homesh,
> >
> >
> > On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote:
> > >
> > > here is is the final thing that worked for me. Now I am testing the rule
> > > for various conditions.
> >
> > good to see,
> >
> > > #Step1
> > > ## This rule will identify the outbound Set-Cookie SessionID data and
> > capture it in a setsid#
> > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ >
> > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> > "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
> > tx.ua=%{request_headers.user-agent}"
> >
> > just my 2 cents: you would better to use the actions that you
> > quote its arguments, eg:
> >
> > setvar:'tx.ua=%{request_headers.user-agent}'
> >
> > It's not mandatory, but more clear.
> >
> >
> >
> > a.
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: homesh j. <ho...@gm...> - 2019-10-09 13:13:04
|
Hi Christian, Thanks for the quick reply. I am trying to implement rules mentioned here <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-advanced-topic-of-the-week-detecting-browser-fingerprint-changes-during-sessions/> Here are the all the rules. #Step1 ## This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid# SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: tx.ua=%{request_headers.user-agent}" SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" #Step 2 SecContentInjection On SecStreamOutBodyInspection On SecResponseBodyAccess On SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none,pass" SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" "chain,t:none,nolog" SecRule &SESSION:KEY "@eq 1" "chain" SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script type=\"text\/javascript\" src=\"https\:\/\/www.abc123.com\/client.min.js\"><\/script>|0A|<\/body>/" "capture,setvar:session.fingerprint_code_sent=1" #Step 3 ## -=[ Save the initial Browser Fingerprint Hash in the Session Collection ]=-# SecRule &SESSION:BROWSER_HASH "@eq 0" "chain,id:'881803',phase:1,t:none,nolog,pass" SecRule REQUEST_COOKIES:BROWSER_HASH ".*" "setvar:session.browser_hash=%{matched_var}" #Step 4 ## -=[ If Browser Fingerprint JS was sent previously, then enforce the # existence of the browser_hash Cookie field. ]=-# SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" "chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering Cookie Missing.'" SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0" SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" "chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering Cookie Mismatch.',logdata:'Expected Browser Fingerprint: %{session.browser_hash}. Browser Fingerprint Received: %{request_cookies.browser_hash}'" SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain" SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}" Thanks, Homesh On Wed, Oct 9, 2019 at 5:46 PM Christian Folini <chr...@ne...> wrote: > Hello Homesh, > > You do not have the code to inject the JS into the response. At least not > in > the rule snippet you provided. > > The last time I checked the whole CSRF injection and testing stuff, it was > broken. But that was like 2 years ago. > > If the rule snippet you listed has a problem, then I would enable the > DebugLog > and follow the execution of this rule closely. It's a very complex rule an > a > lot can go wrong here. > > Cheers, > > Christian > > > On Wed, Oct 09, 2019 at 05:35:16PM +0530, homesh joshi wrote: > > Hi, > > Now when I am testing the rule against the website I think the first rule > > is not getting triggered. > > > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > > > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > > > "chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:' > > tx.ua=%{request_headers.user-agent}' " > > SecRule UNIQUE_ID "(.*)" > > "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" > > > > This should trigger as the response header set-cookie is present in the > > response with PHPSESSID > > e.g > > A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie > > Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/ > > > > Not sure why it is not working. I don't see second rule injecting the JS > > and I think it is because first rule is not getting triggered which > should > > capture "setsid" > > > > Please help. > > > > Thanks, > > Homesh > > > > On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote: > > > > > Hi Homesh, > > > > > > > > > On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote: > > > > > > > > here is is the final thing that worked for me. Now I am testing the > rule > > > > for various conditions. > > > > > > good to see, > > > > > > > #Step1 > > > > ## This rule will identify the outbound Set-Cookie SessionID data and > > > capture it in a setsid# > > > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > > > > > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > > > > "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: > > > tx.ua=%{request_headers.user-agent}" > > > > > > just my 2 cents: you would better to use the actions that you > > > quote its arguments, eg: > > > > > > setvar:'tx.ua=%{request_headers.user-agent}' > > > > > > It's not mandatory, but more clear. > > > > > > > > > > > > a. > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2019-10-09 13:24:13
|
Homesh, This is a very old recipe and I doubt it will work out of the box. But you can always try. If I was to setup a similar thing, I would easily spend a day or more on tweaking and debugging. Good luck! ... and please report back with your experience. We're all curious to learn about real world uses of the more advanced ModSec features. Cheers, Christian On Wed, Oct 09, 2019 at 06:42:44PM +0530, homesh joshi wrote: > Hi Christian, > > Thanks for the quick reply. > > I am trying to implement rules mentioned here > <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-advanced-topic-of-the-week-detecting-browser-fingerprint-changes-during-sessions/> > > Here are the all the rules. > > #Step1 > ## This rule will identify the outbound Set-Cookie SessionID data and > capture it in a setsid# > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: > tx.ua=%{request_headers.user-agent}" > SecRule UNIQUE_ID "(.*)" > "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" > > #Step 2 > SecContentInjection On > SecStreamOutBodyInspection On > SecResponseBodyAccess On > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none,pass" > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html" > "chain,t:none,nolog" > SecRule &SESSION:KEY "@eq 1" "chain" > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script > type=\"text\/javascript\" > src=\"https\:\/\/www.abc123.com\/client.min.js\"><\/script>|0A|<\/body>/" > "capture,setvar:session.fingerprint_code_sent=1" > #Step 3 > ## -=[ Save the initial Browser Fingerprint Hash in the Session Collection > ]=-# > SecRule &SESSION:BROWSER_HASH "@eq 0" > "chain,id:'881803',phase:1,t:none,nolog,pass" > SecRule REQUEST_COOKIES:BROWSER_HASH ".*" > "setvar:session.browser_hash=%{matched_var}" > > #Step 4 > ## -=[ If Browser Fingerprint JS was sent previously, then enforce the # > existence of the browser_hash Cookie field. ]=-# > SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" > "chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering > Cookie Missing.'" > SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0" > SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1" > "chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering > Cookie Mismatch.',logdata:'Expected Browser Fingerprint: > %{session.browser_hash}. Browser Fingerprint Received: > %{request_cookies.browser_hash}'" > SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain" > SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}" > > Thanks, > Homesh > > > On Wed, Oct 9, 2019 at 5:46 PM Christian Folini <chr...@ne...> > wrote: > > > Hello Homesh, > > > > You do not have the code to inject the JS into the response. At least not > > in > > the rule snippet you provided. > > > > The last time I checked the whole CSRF injection and testing stuff, it was > > broken. But that was like 2 years ago. > > > > If the rule snippet you listed has a problem, then I would enable the > > DebugLog > > and follow the execution of this rule closely. It's a very complex rule an > > a > > lot can go wrong here. > > > > Cheers, > > > > Christian > > > > > > On Wed, Oct 09, 2019 at 05:35:16PM +0530, homesh joshi wrote: > > > Hi, > > > Now when I am testing the rule against the website I think the first rule > > > is not getting triggered. > > > > > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > > > > > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > > > > > "chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:' > > > tx.ua=%{request_headers.user-agent}' " > > > SecRule UNIQUE_ID "(.*)" > > > "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}" > > > > > > This should trigger as the response header set-cookie is present in the > > > response with PHPSESSID > > > e.g > > > A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie > > > Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/ > > > > > > Not sure why it is not working. I don't see second rule injecting the JS > > > and I think it is because first rule is not getting triggered which > > should > > > capture "setsid" > > > > > > Please help. > > > > > > Thanks, > > > Homesh > > > > > > On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote: > > > > > > > Hi Homesh, > > > > > > > > > > > > On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote: > > > > > > > > > > here is is the final thing that worked for me. Now I am testing the > > rule > > > > > for various conditions. > > > > > > > > good to see, > > > > > > > > > #Step1 > > > > > ## This rule will identify the outbound Set-Cookie SessionID data and > > > > capture it in a setsid# > > > > > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ > > > > > > > "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" > > > > > > "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar: > > > > tx.ua=%{request_headers.user-agent}" > > > > > > > > just my 2 cents: you would better to use the actions that you > > > > quote its arguments, eg: > > > > > > > > setvar:'tx.ua=%{request_headers.user-agent}' > > > > > > > > It's not mandatory, but more clear. > > > > > > > > > > > > > > > > a. > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
Thanks for helping keep SourceForge clean.
X