Thread: [mod-security-users] Hidden Fields
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Diego P. <die...@ho...> - 2006-02-24 20:26:32
|
Using mod_security, how can i prevent that users change forms parameters in POST requests? is it possible? I read that some web app firewalls (commercial products) checks the variables contained in the forms and validate against the POST (preventing that user change values) thanks you |
|
From: Ivan R. <iv...@we...> - 2006-02-25 16:09:24
|
Diego Pellegrino wrote: > Using mod_security, how can i prevent that users change forms parameters > in POST requests? is it possible? Not possible, unless your hidden form field value is constant (probably not the case). There's some chance this will be supported in the next release. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Markus R. <we...@mr...> - 2006-02-26 10:14:31
|
Ivan Ristic schrieb: > Diego Pellegrino wrote: >> Using mod_security, how can i prevent that users change forms parameters >> in POST requests? is it possible? > > Not possible, unless your hidden form field value is constant (probably > not the case). > > There's some chance this will be supported in the next release. > this would be very complicated. there are two problems: 1) you have to know which fields are hidden and which not. in a get or post request you only get the pair name=value, no info about hidden or not hidden. 2) you have to know the initial value of a field. there are two ways to "protect" hidden fields: 1) use session vars, that are stored on the server either in a file or db. with this you only send "sessionId" to the browser, field values are stored on the server. 2) another way would be to use md5-hashes for hidden fields. compute md5-hashes of each or all hidden fields and send it also as hidden field. so you can recompute the hash and check whether values have changed or not. i think mod_security could not really help with this problem. only if you use an output-filter that checks for type=hidden and compute md5-hashes... markus |
|
From: Ivan R. <iv...@we...> - 2006-02-26 10:22:55
|
Markus Rietzler wrote: > Ivan Ristic schrieb: >> Diego Pellegrino wrote: >>> Using mod_security, how can i prevent that users change forms parameters >>> in POST requests? is it possible? >> Not possible, unless your hidden form field value is constant (probably >> not the case). >> >> There's some chance this will be supported in the next release. >> > ... > i think mod_security could not really help with this problem. only if you use > an output-filter that checks for type=hidden and compute md5-hashes... Exactly. Intercept outgoing forms, identify hidden fields, for every hidden field found generate another that contains a signature of the content. The same approach can be used to protect the cookies. > 2) another > way would be to use md5-hashes for hidden fields. compute md5-hashes of each > or all hidden fields and send it also as hidden field. so you can recompute > the hash and check whether values have changed or not. Note that hashing alone isn't sufficient because it's trivial for the attacker to recompute the hash. You have to encrypt the hash too. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
|
From: Markus R. <we...@mr...> - 2006-02-26 13:18:50
|
> >> 2) another >> way would be to use md5-hashes for hidden fields. compute md5-hashes of each >> or all hidden fields and send it also as hidden field. so you can recompute >> the hash and check whether values have changed or not. > > Note that hashing alone isn't sufficient because it's trivial for > the attacker to recompute the hash. You have to encrypt the hash too. > ok, just the md5-hash is not sufficient, but if you use an additional "salt"-value then it should be good enough. eg. <input name="id" type="hidden" value="1234"> then generate an md5-hash from "id1234mySecretSalt". this should be good enough as "mySecretSalt" could not be guessed that easy... markus |
|
From: Ivan R. <iv...@we...> - 2006-02-26 13:43:25
|
Markus Rietzler wrote: >>> 2) another >>> way would be to use md5-hashes for hidden fields. compute md5-hashes of each >>> or all hidden fields and send it also as hidden field. so you can recompute >>> the hash and check whether values have changed or not. >> Note that hashing alone isn't sufficient because it's trivial for >> the attacker to recompute the hash. You have to encrypt the hash too. >> > > ok, just the md5-hash is not sufficient, but if you use an additional > "salt"-value then it should be good enough. eg. > > <input name="id" type="hidden" value="1234"> > > then generate an md5-hash from "id1234mySecretSalt". this should be good > enough as "mySecretSalt" could not be guessed that easy... Agreed, that would also work. Finally, you would also need a mandatory per-form field so that, when you receive the form data from the user, you know how many hidden fields were there. Since you are also likely to rotate the encryption key (or the salt), this field also needs to contain a timestamp to help you find the key. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
Thanks for helping keep SourceForge clean.
X