mod-security-users

[mod-security-users] Hidden Fields

[Diego P. <die...@ho...>]

Using mod_security, how can i prevent that users change forms parameters in 
POST requests? is it possible?

I read that some web app firewalls (commercial products) checks the 
variables contained in the forms and validate against the POST (preventing 
that user change values)

thanks you

Re: [mod-security-users] Hidden Fields

[Ivan R. <iv...@we...>]

Diego Pellegrino wrote:
> Using mod_security, how can i prevent that users change forms parameters
> in POST requests? is it possible?

  Not possible, unless your hidden form field value is constant (probably
  not the case).

  There's some chance this will be supported in the next release.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] Hidden Fields

[Markus R. <we...@mr...>]

Ivan Ristic schrieb:
> Diego Pellegrino wrote:
>> Using mod_security, how can i prevent that users change forms parameters
>> in POST requests? is it possible?
> 
>   Not possible, unless your hidden form field value is constant (probably
>   not the case).
> 
>   There's some chance this will be supported in the next release.
> 

this would be very complicated. there are two problems: 1) you have to know
which fields are hidden and which not. in a get or post request you only get
the pair name=value, no info about hidden or not hidden. 2) you have to know
the initial value of a field.
there are two ways to "protect" hidden fields: 1) use session vars, that are
stored on the server either in a file or db. with this you only send
"sessionId" to the browser, field values are stored on the server. 2) another
way would be to use md5-hashes for hidden fields. compute md5-hashes of each
or all hidden fields and send it also as hidden field. so you can recompute
the hash and check whether values have changed or not.
i think mod_security could not really help with this problem. only if you use
an output-filter that checks for type=hidden and compute md5-hashes...

markus

Re: [mod-security-users] Hidden Fields

[Ivan R. <iv...@we...>]

Markus Rietzler wrote:
> Ivan Ristic schrieb:
>> Diego Pellegrino wrote:
>>> Using mod_security, how can i prevent that users change forms parameters
>>> in POST requests? is it possible?
>>   Not possible, unless your hidden form field value is constant (probably
>>   not the case).
>>
>>   There's some chance this will be supported in the next release.
>> 
> ...
> i think mod_security could not really help with this problem. only if you use
> an output-filter that checks for type=hidden and compute md5-hashes...

  Exactly. Intercept outgoing forms, identify hidden fields, for every
  hidden field found generate another that contains a signature
  of the content.

  The same approach can be used to protect the cookies.


> 2) another
> way would be to use md5-hashes for hidden fields. compute md5-hashes of each
> or all hidden fields and send it also as hidden field. so you can recompute
> the hash and check whether values have changed or not.

  Note that hashing alone isn't sufficient because it's trivial for
  the attacker to recompute the hash. You have to encrypt the hash too.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] Hidden Fields

[Markus R. <we...@mr...>]

> 
>> 2) another
>> way would be to use md5-hashes for hidden fields. compute md5-hashes of each
>> or all hidden fields and send it also as hidden field. so you can recompute
>> the hash and check whether values have changed or not.
> 
>   Note that hashing alone isn't sufficient because it's trivial for
>   the attacker to recompute the hash. You have to encrypt the hash too.
> 

ok, just the md5-hash is not sufficient, but if you use an additional
"salt"-value then it should be good enough. eg.

	<input name="id" type="hidden" value="1234">

then generate an md5-hash from "id1234mySecretSalt". this should be good
enough as "mySecretSalt" could not be guessed that easy...

markus

Re: [mod-security-users] Hidden Fields

[Ivan R. <iv...@we...>]

Markus Rietzler wrote:
>>> 2) another
>>> way would be to use md5-hashes for hidden fields. compute md5-hashes of each
>>> or all hidden fields and send it also as hidden field. so you can recompute
>>> the hash and check whether values have changed or not.
>>   Note that hashing alone isn't sufficient because it's trivial for
>>   the attacker to recompute the hash. You have to encrypt the hash too.
>>
> 
> ok, just the md5-hash is not sufficient, but if you use an additional
> "salt"-value then it should be good enough. eg.
> 
> 	<input name="id" type="hidden" value="1234">
> 
> then generate an md5-hash from "id1234mySecretSalt". this should be good
> enough as "mySecretSalt" could not be guessed that easy...

  Agreed, that would also work.

  Finally, you would also need a mandatory per-form field so
  that, when you receive the form data from the user, you
  know how many hidden fields were there.

  Since you are also likely to rotate the encryption key (or the
  salt), this field also needs to contain a timestamp to help
  you find the key.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net