Thread: [mod-security-users] inserting header with random size ?
Brought to you by:
victorhora,
zimmerletw
From: <han...@xs...> - 2013-08-07 16:30:21
|
Hi, I'm rather new to mod_security I'd like to insert a variable sized header on responses e.g: X-padding: xxxx or X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx etc where the number of x-s randomly differs per response. Is this possible with a standard rule or would I need to define a custom function for this ? KR, Hans |
From: Josh Amishav-Z. <ja...@ow...> - 2013-08-07 19:38:25
|
On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... < han...@xs...> wrote: > Hi, > > I'm rather new to mod_security > > I'd like to insert a variable sized header on responses > > e.g: > X-padding: xxxx > or > X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > etc > > where the number of x-s randomly differs per response. > > Is this possible with a standard rule or would I need to define a custom > function for this ? > > Hi Hans, How do you decide how many x's are appropriate for each response? Depending on the implementation, you could use a combination of the ModSecurity setenv action and a ModHeaders rule to inject the header. -- - Josh > KR, > Hans > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: <han...@xs...> - 2013-08-07 20:02:52
|
Josh, thanks for your answer. The number of x's should be random (say between 1 and 80) to ensure that the response size differs (its an attempt to tackle the BREACH SSL attack ;-)) The setenv seems to be doable by exec-ing a lua script, but I was wondering if there was a cleaner way. Cheers, Hans Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: > On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... > <mailto:han...@xs...> <han...@xs... > <mailto:han...@xs...>> wrote: > > Hi, > > I'm rather new to mod_security > > I'd like to insert a variable sized header on responses > > e.g: > X-padding: xxxx > or > X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > etc > > where the number of x-s randomly differs per response. > > Is this possible with a standard rule or would I need to define a > custom > function for this ? > > > Hi Hans, > > How do you decide how many x's are appropriate for each response? > Depending on the implementation, you could use a combination of the > ModSecurity setenv action and a ModHeaders rule to inject the header. > > -- > - Josh > > > KR, > Hans > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Christian F. <chr...@ti...> - 2013-08-07 20:43:17
|
Hans, On Wed, Aug 07, 2013 at 10:02:46PM +0200, han...@xs... wrote: > The number of x's should be random (say between 1 and 80) to ensure that > the response size differs (its an attempt to tackle the BREACH SSL > attack ;-)) > The setenv seems to be doable by exec-ing a lua script, but I was > wondering if there was a cleaner way. If you do not care about the quality of the randomness, then you could hash the unique-id (-> md5, sha or base64). The result could then be manipulated (-> extract certain patterns) to get a string with varying length. Alternatively, you could extract numbers out of the result and use these numbers to tell the engine how long the series of x's should be. Now I would not call this clean. But for a proof of concept, it might be just enough. Enjoy! Christian -- I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forego their use. -- Galileo Galilei |
From: <han...@xs...> - 2013-08-10 11:26:29
|
Got it ! it turns out that the m.setvar() can just set random variable names. This does the trick: SecRuleEngine On SecAction id:'007',exec:conf/breachheader.lua,setenv:randomstring=%{tx.randomstring} Header set X-breach-protection "%{randomstring}e" function main() randomstring=string.rep('a',math.random(80)) m.setvar("tx.randomstring",randomstring) end The thing to keep in mind though is that math.random is not true random. E.g. everytime apache starts the first result is a single A. So one might want do something with math.randomseed(). On the other hand , if the site has enough visitors it will be hard to predict the sequence. The only thing left now is a way to verify if the BREACH attack is countered, but thats a different topic :-) Thanks all for your hints and tips. Hans Op 9-8-2013 21:38, han...@xs... schreef: > Ok, > > think I'm almost there now but somehow I can't get the Lua handover to > work, I have: > > Header set X-blabla "blablah" > SecRuleEngine On > #SecAction > id:'007',exec:conf/breachheader.lua,setenv:randomstring=%{randomstring} > SecAction id:'007',exec:conf/breachheader.lua,setenv:randomstring= > Header set X-breach-protection "%{randomstring}e" > > and the lua source is: > > function main() > randomstring=string.rep('a',math.random(80)) > m.log(0,"1-breachheader.lua "..randomstring) > m.setvar("randomstring",randomstring) > m.log(0,"2-breachheader.lua"..randomstring) > end > > The errorlog shows: > [Fri Aug 09 21:09:44.303033 2013] [:error] [pid 2660:tid 996] [client > ::1] ModSecurity: Warning. Unconditional match in SecAction. [file > "C:/Users/klunderhjaa/Downloads/httpd-2.4.6-win32/Apache24/conf/extra/mod-security.conf"] > [line "4"] [id "007"] [hostname "localhost"] [uri "/"] [unique_id > "UgU@eMCosh0AAApkUXQAAAAp"] > [Fri Aug 09 21:21:52.574687 2013] [:error] [pid 2660:tid 996] [client > ::1] ModSecurity: 1-breachheader.lua > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [hostname > "localhost"] [uri "/"] [unique_id "UgVBUMCosh0AAApkUXUAAAAp"] > [Fri Aug 09 21:21:52.575687 2013] [:error] [pid 2660:tid 996] [client > ::1] ModSecurity: Warning. Unconditional match in SecAction. [file > "C:/Users/klunderhjaa/Downloads/httpd-2.4.6-win32/Apache24/conf/extra/mod-security.conf"] > [line "4"] [id "007"] [hostname "localhost"] [uri "/"] [unique_id > "UgVBUMCosh0AAApkUXUAAAAp"] > [Fri Aug 09 21:21:53.893763 2013] [:error] [pid 2660:tid 996] [client > ::1] ModSecurity: 1-breachheader.lua > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [hostname "localhost"] [uri > "/"] [unique_id "UgVBUcCosh0AAApkUXYAAAAp"] > > > so the random string is being generated, however the second logline is > never reached ?!? > The headers are generated: > > X-blabla: blablah > X-breach-protection: 1 > > But as soon as I try to put the var into the setenv by doing: > > SecAction > id:'007',exec:conf/breachheader.lua,setenv:randomstring=%{randomstring} > #SecAction id:'007',exec:conf/breachheader.lua,setenv:randomstring= > > then the environment variable stays empty and the header is suppressed. > > Any help is much appreciated :-) > > Cheers, > > Hans > > > > Op 9-8-2013 17:26, han...@xs... schreef: >> Brian, >> >> thx for the comments. I'm interested too :-) >> For now, as its a hobby project for me, I'm trying to get a working >> mod_headers/mod_security setup to test it out ;-) >> >> Cheers, >> >> Hans >> >> Op 9-8-2013 15:54, Brian Rectanus schreef: >>> Although, replying to myself here, Adding x's to the header may >>> still work ok as you will not have to worry about the x's being >>> compressed (negating the size fluctuation) when adjusting the >>> payload size (providing SSL compression is disabled, which you >>> should be doing to mitigate). I'd be interested to hear about your >>> success with this (or lack thereof, heh). >>> >>> -B >>> >>> >>> On Fri, Aug 9, 2013 at 6:28 AM, Brian Rectanus <bre...@gm... >>> <mailto:bre...@gm...>> wrote: >>> >>> I believe the issue is HTTP compression, not that the attacker >>> can see the payload. Compression is performed only on the body >>> in HTTP and why matching guesses make the response smaller. >>> That is, if your guess matches bytes in the body, then the >>> compression ratio is higher (payload smaller) due to similar >>> bytes of a correct guess. >>> >>> In addition, to make this work well, you need to inject >>> arbitrary bytes, not just x's. You need some, but not all the >>> random bytes to match the secret so that the compressed size >>> fluctuates enough to render the attack much more difficult. >>> >>> It is in interesting idea. I'd suggest adding a much larger >>> payload of random bytes that match the secret that you are >>> trying to protect. >>> >>> Cheers, >>> -B >>> >>> >>> >>> On Fri, Aug 9, 2013 at 12:04 AM, han...@xs... >>> <mailto:han...@xs...> <han...@xs... >>> <mailto:han...@xs...>> wrote: >>> >>> Christian, >>> >>> I might be wrong, but if the MITM is able to separate the >>> HTTP response >>> body from the HTTP header then he has already broken the SSL >>> tunnel. So >>> why bother trying to guess the content then when the >>> attacker can read >>> it in plain text ? >>> >>> The way I read it, the attacker has access to another part >>> of the >>> browser (window, iframe) and is able to inject calls to the >>> target site, >>> but is not able to view the secured data. Therefore he also >>> needs to be >>> able to intercept the SSL payload and compare it to the >>> spoofed payload. >>> And since header and body travel together it should not >>> matter whether >>> the random bytes are added to header or body. >>> >>> But again I could be wrong ;-) >>> >>> Cheers, >>> Hans >>> ps. if the attacker is already in the middle and is able to >>> instruct the >>> browser, he can also instruct the browser to dowload a >>> trojan, but thats >>> a different topic ;-) >>> >>> >>> >>> >>> Op 9-8-2013 8:32, Christian Folini schreef: >>> > Hey Hans, >>> > >>> > On Fri, August 9, 2013 7:21 am, han...@xs... >>> <mailto:han...@xs...> wrote: >>> >> You are right that the header won't affect the content >>> length of the body. >>> >> However if I read the description of the attack >>> >> (http://www.kb.cert.org/vuls/id/987798) then the man in >>> the middle >>> >> checks the size of the SSL payload, not the body content >>> length. >>> > That is not correct. >>> > >>> > The description notes: >>> > "To recover a particular secret in an HTTPS response body, >>> the attacker >>> > guesses character by character, sending a pair of requests >>> for each guess. >>> > The correct guess will result in a smaller HTTPS response." >>> > >>> > But your initial idea is still valid. You just need to >>> inject your random >>> > content in the response body and among the headers. >>> > >>> > Ahoj, >>> > >>> > Christian >>> > >>> > >>> > >>> >> As the header is part of the SSL payload, varying the >>> header would alter >>> >> the SSL payload size and therefore blind the MITM :-) >>> >> >>> >> Cheers, >>> >> >>> >> Hans >>> >> >>> >> Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: >>> >>> On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... >>> <mailto:han...@xs...> >>> >>> <mailto:han...@xs... >>> <mailto:han...@xs...>> <han...@xs... >>> <mailto:han...@xs...> >>> >>> <mailto:han...@xs... >>> <mailto:han...@xs...>>> wrote: >>> >>> >>> >>> Josh, >>> >>> >>> >>> thanks for your answer. >>> >>> >>> >>> The number of x's should be random (say between 1 >>> and 80) to >>> >>> ensure that the response size differs (its an >>> attempt to tackle >>> >>> the BREACH SSL attack ;-)) >>> >>> >>> >>> >>> >>> Hi Hans, >>> >>> >>> >>> I may be completely off but injecting a random header >>> value does not >>> >>> effect the content-length value. I think you need to >>> inject a random >>> >>> number of bytes to the response body. >>> >>> >>> >>> -- >>> >>> - Josh >>> >>> >>> >>> >>> >>> The setenv seems to be doable by exec-ing a lua >>> script, but I was >>> >>> wondering if there was a cleaner way. >>> >>> >>> >>> Cheers, >>> >>> >>> >>> Hans >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: >>> >>>> On Wed, Aug 7, 2013 at 7:30 PM, >>> han...@xs... <mailto:han...@xs...> >>> >>>> <mailto:han...@xs... >>> <mailto:han...@xs...>> <han...@xs... >>> <mailto:han...@xs...> >>> >>>> <mailto:han...@xs... >>> <mailto:han...@xs...>>> wrote: >>> >>>> >>> >>>> Hi, >>> >>>> >>> >>>> I'm rather new to mod_security >>> >>>> >>> >>>> I'd like to insert a variable sized header on >>> responses >>> >>>> >>> >>>> e.g: >>> >>>> X-padding: xxxx >>> >>>> or >>> >>>> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> >>>> etc >>> >>>> >>> >>>> where the number of x-s randomly differs per >>> response. >>> >>>> >>> >>>> Is this possible with a standard rule or would >>> I need to >>> >>>> define a custom >>> >>>> function for this ? >>> >>>> >>> >>>> >>> >>>> Hi Hans, >>> >>>> >>> >>>> How do you decide how many x's are appropriate for >>> each response? >>> >>>> Depending on the implementation, you could use a >>> combination of >>> >>>> the ModSecurity setenv action and a ModHeaders >>> rule to inject the >>> >>>> header. >>> >>>> >>> >>>> -- >>> >>>> - Josh >>> >>>> >>> >>>> >>> >>>> KR, >>> >>>> Hans >>> >>>> >>> >>>> >>> >>>> >>> ------------------------------------------------------------------------------ >>> >>>> Get 100% visibility into Java/.NET code with >>> AppDynamics Lite! >>> >>>> It's a free troubleshooting tool designed for >>> production. >>> >>>> Get down to code-level detail for bottlenecks, >>> with <2% >>> >>>> overhead. >>> >>>> Download for free and get started >>> troubleshooting in minutes. >>> >>>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >>>> _______________________________________________ >>> >>>> mod-security-users mailing list >>> >>>> mod...@li... >>> <mailto:mod...@li...> >>> >>>> >>> <mailto:mod...@li... >>> <mailto:mod...@li...>> >>> >>>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >>>> Commercial ModSecurity Rules and Support from >>> Trustwave's >>> >>>> SpiderLabs: >>> >>>> http://www.modsecurity.org/projects/commercial/rules/ >>> >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> ------------------------------------------------------------------------------ >>> >>>> Get 100% visibility into Java/.NET code with >>> AppDynamics Lite! >>> >>>> It's a free troubleshooting tool designed for >>> production. >>> >>>> Get down to code-level detail for bottlenecks, >>> with <2% overhead. >>> >>>> Download for free and get started troubleshooting >>> in minutes. >>> >>>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >>>> >>> >>>> >>> >>>> _______________________________________________ >>> >>>> mod-security-users mailing list >>> >>>> mod...@li... >>> <mailto:mod...@li...> >>> >>>> <mailto:mod...@li... >>> <mailto:mod...@li...>> >>> >>>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >>>> Commercial ModSecurity Rules and Support from >>> Trustwave's >>> >>>> SpiderLabs: >>> >>>> http://www.modsecurity.org/projects/commercial/rules/ >>> >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Get 100% visibility into Java/.NET code with >>> AppDynamics Lite! >>> >>> It's a free troubleshooting tool designed for >>> production. >>> >>> Get down to code-level detail for bottlenecks, with >>> <2% overhead. >>> >>> Download for free and get started troubleshooting >>> in minutes. >>> >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >>> _______________________________________________ >>> >>> mod-security-users mailing list >>> >>> mod...@li... >>> <mailto:mod...@li...> >>> >>> <mailto:mod...@li... >>> <mailto:mod...@li...>> >>> >>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >>> Commercial ModSecurity Rules and Support from >>> Trustwave's >>> >>> SpiderLabs: >>> >>> http://www.modsecurity.org/projects/commercial/rules/ >>> >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Get 100% visibility into Java/.NET code with AppDynamics >>> Lite! >>> >>> It's a free troubleshooting tool designed for production. >>> >>> Get down to code-level detail for bottlenecks, with <2% >>> overhead. >>> >>> Download for free and get started troubleshooting in >>> minutes. >>> >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> mod-security-users mailing list >>> >>> mod...@li... >>> <mailto:mod...@li...> >>> >>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >>> Commercial ModSecurity Rules and Support from >>> Trustwave's SpiderLabs: >>> >>> http://www.modsecurity.org/projects/commercial/rules/ >>> >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> >>> ------------------------------------------------------------------------------ >>> >> Get 100% visibility into Java/.NET code with AppDynamics >>> Lite! >>> >> It's a free troubleshooting tool designed for production. >>> >> Get down to code-level detail for bottlenecks, with <2% >>> overhead. >>> >> Download for free and get started troubleshooting in minutes. >>> >> >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ >>> >> mod-security-users mailing list >>> >> mod...@li... >>> <mailto:mod...@li...> >>> >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> >> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> >> http://www.modsecurity.org/projects/commercial/rules/ >>> >> http://www.modsecurity.org/projects/commercial/support/ >>> >> >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> > It's a free troubleshooting tool designed for production. >>> > Get down to code-level detail for bottlenecks, with <2% >>> overhead. >>> > Download for free and get started troubleshooting in minutes. >>> > >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> > _______________________________________________ >>> > mod-security-users mailing list >>> > mod...@li... >>> <mailto:mod...@li...> >>> > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > http://www.modsecurity.org/projects/commercial/rules/ >>> > http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> ------------------------------------------------------------------------------ >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> It's a free troubleshooting tool designed for production. >>> Get down to code-level detail for bottlenecks, with <2% >>> overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> <mailto:mod...@li...> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> It's a free troubleshooting tool designed for production. >>> Get down to code-level detail for bottlenecks, with <2% overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > |
From: Christian F. <chr...@ti...> - 2013-08-10 18:30:50
|
Hi Hans, Congratulations on that simple implementation. On Sat, Aug 10, 2013 at 01:26:22PM +0200, han...@xs... wrote: > The only thing left now is a way to verify if the BREACH attack is > countered, but thats a different topic :-) On the httpd-dev list, there was this note by Joe Orton yesterday, that points out the base problem with your approach (It's also in the paper, but not that much to the point): Joe Orton: > Length hiding seems the most promising avenue. The paper notes that > that simply adding rand(0..n) bytes to the response only increases the > cost (time/requests) of executing the attack. Ahoj, Christian -- The intersection of all majorities is the empty set - The union of even the smallest minorities is the universal set. --- Linus Thorvalds |
From: Josh Amishav-Z. <ja...@ow...> - 2013-08-07 21:28:00
|
On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... < han...@xs...> wrote: > Josh, > > thanks for your answer. > > The number of x's should be random (say between 1 and 80) to ensure that > the response size differs (its an attempt to tackle the BREACH SSL attack > ;-)) > Hi Hans, I may be completely off but injecting a random header value does not effect the content-length value. I think you need to inject a random number of bytes to the response body. -- - Josh > The setenv seems to be doable by exec-ing a lua script, but I was > wondering if there was a cleaner way. > > Cheers, > > Hans > > > > > Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: > > On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... < > han...@xs...> wrote: > >> Hi, >> >> I'm rather new to mod_security >> >> I'd like to insert a variable sized header on responses >> >> e.g: >> X-padding: xxxx >> or >> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> etc >> >> where the number of x-s randomly differs per response. >> >> Is this possible with a standard rule or would I need to define a custom >> function for this ? >> >> > Hi Hans, > > How do you decide how many x's are appropriate for each response? > Depending on the implementation, you could use a combination of the > ModSecurity setenv action and a ModHeaders rule to inject the header. > > -- > - Josh > > >> KR, >> Hans >> >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > > _______________________________________________ > mod-security-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:http://www.modsecurity.org/projects/commercial/rules/http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: <han...@xs...> - 2013-08-09 05:21:11
|
Josh, You are right that the header won't affect the content length of the body. However if I read the description of the attack (http://www.kb.cert.org/vuls/id/987798) then the man in the middle checks the size of the SSL payload, not the body content length. As the header is part of the SSL payload, varying the header would alter the SSL payload size and therefore blind the MITM :-) Cheers, Hans Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: > On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... > <mailto:han...@xs...> <han...@xs... > <mailto:han...@xs...>> wrote: > > Josh, > > thanks for your answer. > > The number of x's should be random (say between 1 and 80) to > ensure that the response size differs (its an attempt to tackle > the BREACH SSL attack ;-)) > > > Hi Hans, > > I may be completely off but injecting a random header value does not > effect the content-length value. I think you need to inject a random > number of bytes to the response body. > > -- > - Josh > > > The setenv seems to be doable by exec-ing a lua script, but I was > wondering if there was a cleaner way. > > Cheers, > > Hans > > > > > Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: >> On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... >> <mailto:han...@xs...> <han...@xs... >> <mailto:han...@xs...>> wrote: >> >> Hi, >> >> I'm rather new to mod_security >> >> I'd like to insert a variable sized header on responses >> >> e.g: >> X-padding: xxxx >> or >> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> etc >> >> where the number of x-s randomly differs per response. >> >> Is this possible with a standard rule or would I need to >> define a custom >> function for this ? >> >> >> Hi Hans, >> >> How do you decide how many x's are appropriate for each response? >> Depending on the implementation, you could use a combination of >> the ModSecurity setenv action and a ModHeaders rule to inject the >> header. >> >> -- >> - Josh >> >> >> KR, >> Hans >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <han...@xs...> - 2013-08-11 13:59:01
|
Christian, I do agree that with enough responses it is possible to statistically determine whether the guess was right, but with a reasonable amount of random bytes it would at least require significantly more attempts to get enough data to do the stats. Combine that with server side rate limiting and the attack is imho much harder to complete :-) Cheers, Hans ps. if any of the devs are reading this: it would be nice if the Lua interface would have a little more docs ;-). It took me quite some time to figure out how the API worked and that the m.setvar only allows certain values, especially since no error popped. The only hint being the second m.log message not appearing in the apache log.. Op 10-8-2013 20:30, Christian Folini schreef: > Hi Hans, > > Congratulations on that simple implementation. > > On Sat, Aug 10, 2013 at 01:26:22PM +0200, han...@xs... wrote: >> The only thing left now is a way to verify if the BREACH attack is >> countered, but thats a different topic :-) > On the httpd-dev list, there was this note by Joe Orton yesterday, > that points out the base problem with your approach (It's also > in the paper, but not that much to the point): > > Joe Orton: >> Length hiding seems the most promising avenue. The paper notes that >> that simply adding rand(0..n) bytes to the response only increases the >> cost (time/requests) of executing the attack. > Ahoj, > > Christian > > |
From: Christian F. <chr...@ti...> - 2013-08-11 19:10:49
|
Hey Hans, On Sun, Aug 11, 2013 at 03:58:53PM +0200, han...@xs... wrote: > I do agree that with enough responses it is possible to statistically > determine whether the guess was right, but with a reasonable amount of > random bytes it would at least require significantly more attempts to > get enough data to do the stats. Combine that with server side rate > limiting and the attack is imho much harder to complete :-) Absolutely. Rate limiting is always a good defense and once again it helps a big deal. Ahoj, Christian > > Cheers, > > Hans > ps. if any of the devs are reading this: it would be nice if the Lua > interface would have a little more docs ;-). It took me quite some time > to figure out how the API worked and that the m.setvar only allows > certain values, especially since no error popped. The only hint being > the second m.log message not appearing in the apache log.. > > > Op 10-8-2013 20:30, Christian Folini schreef: > > Hi Hans, > > > > Congratulations on that simple implementation. > > > > On Sat, Aug 10, 2013 at 01:26:22PM +0200, han...@xs... wrote: > >> The only thing left now is a way to verify if the BREACH attack is > >> countered, but thats a different topic :-) > > On the httpd-dev list, there was this note by Joe Orton yesterday, > > that points out the base problem with your approach (It's also > > in the paper, but not that much to the point): > > > > Joe Orton: > >> Length hiding seems the most promising avenue. The paper notes that > >> that simply adding rand(0..n) bytes to the response only increases the > >> cost (time/requests) of executing the attack. > > Ahoj, > > > > Christian > > > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Christian F. <chr...@ti...> - 2013-08-09 06:33:04
|
Hey Hans, On Fri, August 9, 2013 7:21 am, han...@xs... wrote: > You are right that the header won't affect the content length of the body. > However if I read the description of the attack > (http://www.kb.cert.org/vuls/id/987798) then the man in the middle > checks the size of the SSL payload, not the body content length. That is not correct. The description notes: "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response." But your initial idea is still valid. You just need to inject your random content in the response body and among the headers. Ahoj, Christian > As the header is part of the SSL payload, varying the header would alter > the SSL payload size and therefore blind the MITM :-) > > Cheers, > > Hans > > Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: >> On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... >> <mailto:han...@xs...> <han...@xs... >> <mailto:han...@xs...>> wrote: >> >> Josh, >> >> thanks for your answer. >> >> The number of x's should be random (say between 1 and 80) to >> ensure that the response size differs (its an attempt to tackle >> the BREACH SSL attack ;-)) >> >> >> Hi Hans, >> >> I may be completely off but injecting a random header value does not >> effect the content-length value. I think you need to inject a random >> number of bytes to the response body. >> >> -- >> - Josh >> >> >> The setenv seems to be doable by exec-ing a lua script, but I was >> wondering if there was a cleaner way. >> >> Cheers, >> >> Hans >> >> >> >> >> Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: >>> On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... >>> <mailto:han...@xs...> <han...@xs... >>> <mailto:han...@xs...>> wrote: >>> >>> Hi, >>> >>> I'm rather new to mod_security >>> >>> I'd like to insert a variable sized header on responses >>> >>> e.g: >>> X-padding: xxxx >>> or >>> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> etc >>> >>> where the number of x-s randomly differs per response. >>> >>> Is this possible with a standard rule or would I need to >>> define a custom >>> function for this ? >>> >>> >>> Hi Hans, >>> >>> How do you decide how many x's are appropriate for each response? >>> Depending on the implementation, you could use a combination of >>> the ModSecurity setenv action and a ModHeaders rule to inject the >>> header. >>> >>> -- >>> - Josh >>> >>> >>> KR, >>> Hans >>> >>> >>> ------------------------------------------------------------------------------ >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> It's a free troubleshooting tool designed for production. >>> Get down to code-level detail for bottlenecks, with <2% >>> overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> <mailto:mod...@li...> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> It's a free troubleshooting tool designed for production. >>> Get down to code-level detail for bottlenecks, with <2% overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> <mailto:mod...@li...> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: <han...@xs...> - 2013-08-09 07:04:11
|
Christian, I might be wrong, but if the MITM is able to separate the HTTP response body from the HTTP header then he has already broken the SSL tunnel. So why bother trying to guess the content then when the attacker can read it in plain text ? The way I read it, the attacker has access to another part of the browser (window, iframe) and is able to inject calls to the target site, but is not able to view the secured data. Therefore he also needs to be able to intercept the SSL payload and compare it to the spoofed payload. And since header and body travel together it should not matter whether the random bytes are added to header or body. But again I could be wrong ;-) Cheers, Hans ps. if the attacker is already in the middle and is able to instruct the browser, he can also instruct the browser to dowload a trojan, but thats a different topic ;-) Op 9-8-2013 8:32, Christian Folini schreef: > Hey Hans, > > On Fri, August 9, 2013 7:21 am, han...@xs... wrote: >> You are right that the header won't affect the content length of the body. >> However if I read the description of the attack >> (http://www.kb.cert.org/vuls/id/987798) then the man in the middle >> checks the size of the SSL payload, not the body content length. > That is not correct. > > The description notes: > "To recover a particular secret in an HTTPS response body, the attacker > guesses character by character, sending a pair of requests for each guess. > The correct guess will result in a smaller HTTPS response." > > But your initial idea is still valid. You just need to inject your random > content in the response body and among the headers. > > Ahoj, > > Christian > > > >> As the header is part of the SSL payload, varying the header would alter >> the SSL payload size and therefore blind the MITM :-) >> >> Cheers, >> >> Hans >> >> Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: >>> On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... >>> <mailto:han...@xs...> <han...@xs... >>> <mailto:han...@xs...>> wrote: >>> >>> Josh, >>> >>> thanks for your answer. >>> >>> The number of x's should be random (say between 1 and 80) to >>> ensure that the response size differs (its an attempt to tackle >>> the BREACH SSL attack ;-)) >>> >>> >>> Hi Hans, >>> >>> I may be completely off but injecting a random header value does not >>> effect the content-length value. I think you need to inject a random >>> number of bytes to the response body. >>> >>> -- >>> - Josh >>> >>> >>> The setenv seems to be doable by exec-ing a lua script, but I was >>> wondering if there was a cleaner way. >>> >>> Cheers, >>> >>> Hans >>> >>> >>> >>> >>> Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: >>>> On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... >>>> <mailto:han...@xs...> <han...@xs... >>>> <mailto:han...@xs...>> wrote: >>>> >>>> Hi, >>>> >>>> I'm rather new to mod_security >>>> >>>> I'd like to insert a variable sized header on responses >>>> >>>> e.g: >>>> X-padding: xxxx >>>> or >>>> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> etc >>>> >>>> where the number of x-s randomly differs per response. >>>> >>>> Is this possible with a standard rule or would I need to >>>> define a custom >>>> function for this ? >>>> >>>> >>>> Hi Hans, >>>> >>>> How do you decide how many x's are appropriate for each response? >>>> Depending on the implementation, you could use a combination of >>>> the ModSecurity setenv action and a ModHeaders rule to inject the >>>> header. >>>> >>>> -- >>>> - Josh >>>> >>>> >>>> KR, >>>> Hans >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>>> It's a free troubleshooting tool designed for production. >>>> Get down to code-level detail for bottlenecks, with <2% >>>> overhead. >>>> Download for free and get started troubleshooting in minutes. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> <mailto:mod...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's >>>> SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>>> It's a free troubleshooting tool designed for production. >>>> Get down to code-level detail for bottlenecks, with <2% overhead. >>>> Download for free and get started troubleshooting in minutes. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>>> >>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> <mailto:mod...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's >>>> SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> ------------------------------------------------------------------------------ >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> It's a free troubleshooting tool designed for production. >>> Get down to code-level detail for bottlenecks, with <2% overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> <mailto:mod...@li...> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> It's a free troubleshooting tool designed for production. >>> Get down to code-level detail for bottlenecks, with <2% overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Brian R. <bre...@gm...> - 2013-08-09 13:28:57
|
I believe the issue is HTTP compression, not that the attacker can see the payload. Compression is performed only on the body in HTTP and why matching guesses make the response smaller. That is, if your guess matches bytes in the body, then the compression ratio is higher (payload smaller) due to similar bytes of a correct guess. In addition, to make this work well, you need to inject arbitrary bytes, not just x's. You need some, but not all the random bytes to match the secret so that the compressed size fluctuates enough to render the attack much more difficult. It is in interesting idea. I'd suggest adding a much larger payload of random bytes that match the secret that you are trying to protect. Cheers, -B On Fri, Aug 9, 2013 at 12:04 AM, han...@xs... < han...@xs...> wrote: > Christian, > > I might be wrong, but if the MITM is able to separate the HTTP response > body from the HTTP header then he has already broken the SSL tunnel. So > why bother trying to guess the content then when the attacker can read > it in plain text ? > > The way I read it, the attacker has access to another part of the > browser (window, iframe) and is able to inject calls to the target site, > but is not able to view the secured data. Therefore he also needs to be > able to intercept the SSL payload and compare it to the spoofed payload. > And since header and body travel together it should not matter whether > the random bytes are added to header or body. > > But again I could be wrong ;-) > > Cheers, > Hans > ps. if the attacker is already in the middle and is able to instruct the > browser, he can also instruct the browser to dowload a trojan, but thats > a different topic ;-) > > > > > Op 9-8-2013 8:32, Christian Folini schreef: > > Hey Hans, > > > > On Fri, August 9, 2013 7:21 am, han...@xs... wrote: > >> You are right that the header won't affect the content length of the > body. > >> However if I read the description of the attack > >> (http://www.kb.cert.org/vuls/id/987798) then the man in the middle > >> checks the size of the SSL payload, not the body content length. > > That is not correct. > > > > The description notes: > > "To recover a particular secret in an HTTPS response body, the attacker > > guesses character by character, sending a pair of requests for each > guess. > > The correct guess will result in a smaller HTTPS response." > > > > But your initial idea is still valid. You just need to inject your random > > content in the response body and among the headers. > > > > Ahoj, > > > > Christian > > > > > > > >> As the header is part of the SSL payload, varying the header would alter > >> the SSL payload size and therefore blind the MITM :-) > >> > >> Cheers, > >> > >> Hans > >> > >> Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: > >>> On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... > >>> <mailto:han...@xs...> <han...@xs... > >>> <mailto:han...@xs...>> wrote: > >>> > >>> Josh, > >>> > >>> thanks for your answer. > >>> > >>> The number of x's should be random (say between 1 and 80) to > >>> ensure that the response size differs (its an attempt to tackle > >>> the BREACH SSL attack ;-)) > >>> > >>> > >>> Hi Hans, > >>> > >>> I may be completely off but injecting a random header value does not > >>> effect the content-length value. I think you need to inject a random > >>> number of bytes to the response body. > >>> > >>> -- > >>> - Josh > >>> > >>> > >>> The setenv seems to be doable by exec-ing a lua script, but I was > >>> wondering if there was a cleaner way. > >>> > >>> Cheers, > >>> > >>> Hans > >>> > >>> > >>> > >>> > >>> Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: > >>>> On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... > >>>> <mailto:han...@xs...> <han...@xs... > >>>> <mailto:han...@xs...>> wrote: > >>>> > >>>> Hi, > >>>> > >>>> I'm rather new to mod_security > >>>> > >>>> I'd like to insert a variable sized header on responses > >>>> > >>>> e.g: > >>>> X-padding: xxxx > >>>> or > >>>> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> etc > >>>> > >>>> where the number of x-s randomly differs per response. > >>>> > >>>> Is this possible with a standard rule or would I need to > >>>> define a custom > >>>> function for this ? > >>>> > >>>> > >>>> Hi Hans, > >>>> > >>>> How do you decide how many x's are appropriate for each response? > >>>> Depending on the implementation, you could use a combination of > >>>> the ModSecurity setenv action and a ModHeaders rule to inject the > >>>> header. > >>>> > >>>> -- > >>>> - Josh > >>>> > >>>> > >>>> KR, > >>>> Hans > >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Get 100% visibility into Java/.NET code with AppDynamics > Lite! > >>>> It's a free troubleshooting tool designed for production. > >>>> Get down to code-level detail for bottlenecks, with <2% > >>>> overhead. > >>>> Download for free and get started troubleshooting in minutes. > >>>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>>> _______________________________________________ > >>>> mod-security-users mailing list > >>>> mod...@li... > >>>> <mailto:mod...@li...> > >>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>>> Commercial ModSecurity Rules and Support from Trustwave's > >>>> SpiderLabs: > >>>> http://www.modsecurity.org/projects/commercial/rules/ > >>>> http://www.modsecurity.org/projects/commercial/support/ > >>>> > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite! > >>>> It's a free troubleshooting tool designed for production. > >>>> Get down to code-level detail for bottlenecks, with <2% overhead. > >>>> Download for free and get started troubleshooting in minutes. > >>>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>>> > >>>> > >>>> _______________________________________________ > >>>> mod-security-users mailing list > >>>> mod...@li... > >>>> <mailto:mod...@li...> > >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>>> Commercial ModSecurity Rules and Support from Trustwave's > >>>> SpiderLabs: > >>>> http://www.modsecurity.org/projects/commercial/rules/ > >>>> http://www.modsecurity.org/projects/commercial/support/ > >>> > >>> > ------------------------------------------------------------------------------ > >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! > >>> It's a free troubleshooting tool designed for production. > >>> Get down to code-level detail for bottlenecks, with <2% overhead. > >>> Download for free and get started troubleshooting in minutes. > >>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > >>> <mailto:mod...@li...> > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> Commercial ModSecurity Rules and Support from Trustwave's > >>> SpiderLabs: > >>> http://www.modsecurity.org/projects/commercial/rules/ > >>> http://www.modsecurity.org/projects/commercial/support/ > >>> > >>> > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! > >>> It's a free troubleshooting tool designed for production. > >>> Get down to code-level detail for bottlenecks, with <2% overhead. > >>> Download for free and get started troubleshooting in minutes. > >>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>> > >>> > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >>> http://www.modsecurity.org/projects/commercial/rules/ > >>> http://www.modsecurity.org/projects/commercial/support/ > >> > ------------------------------------------------------------------------------ > >> Get 100% visibility into Java/.NET code with AppDynamics Lite! > >> It's a free troubleshooting tool designed for production. > >> Get down to code-level detail for bottlenecks, with <2% overhead. > >> Download for free and get started troubleshooting in minutes. > >> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > >> > > > > > > > ------------------------------------------------------------------------------ > > Get 100% visibility into Java/.NET code with AppDynamics Lite! > > It's a free troubleshooting tool designed for production. > > Get down to code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Brian R. <bre...@gm...> - 2013-08-09 13:54:16
|
Although, replying to myself here, Adding x's to the header may still work ok as you will not have to worry about the x's being compressed (negating the size fluctuation) when adjusting the payload size (providing SSL compression is disabled, which you should be doing to mitigate). I'd be interested to hear about your success with this (or lack thereof, heh). -B On Fri, Aug 9, 2013 at 6:28 AM, Brian Rectanus <bre...@gm...> wrote: > I believe the issue is HTTP compression, not that the attacker can see the > payload. Compression is performed only on the body in HTTP and why > matching guesses make the response smaller. That is, if your guess matches > bytes in the body, then the compression ratio is higher (payload smaller) > due to similar bytes of a correct guess. > > In addition, to make this work well, you need to inject arbitrary bytes, > not just x's. You need some, but not all the random bytes to match the > secret so that the compressed size fluctuates enough to render the attack > much more difficult. > > It is in interesting idea. I'd suggest adding a much larger payload of > random bytes that match the secret that you are trying to protect. > > Cheers, > -B > > > > On Fri, Aug 9, 2013 at 12:04 AM, han...@xs... < > han...@xs...> wrote: > >> Christian, >> >> I might be wrong, but if the MITM is able to separate the HTTP response >> body from the HTTP header then he has already broken the SSL tunnel. So >> why bother trying to guess the content then when the attacker can read >> it in plain text ? >> >> The way I read it, the attacker has access to another part of the >> browser (window, iframe) and is able to inject calls to the target site, >> but is not able to view the secured data. Therefore he also needs to be >> able to intercept the SSL payload and compare it to the spoofed payload. >> And since header and body travel together it should not matter whether >> the random bytes are added to header or body. >> >> But again I could be wrong ;-) >> >> Cheers, >> Hans >> ps. if the attacker is already in the middle and is able to instruct the >> browser, he can also instruct the browser to dowload a trojan, but thats >> a different topic ;-) >> >> >> >> >> Op 9-8-2013 8:32, Christian Folini schreef: >> > Hey Hans, >> > >> > On Fri, August 9, 2013 7:21 am, han...@xs... wrote: >> >> You are right that the header won't affect the content length of the >> body. >> >> However if I read the description of the attack >> >> (http://www.kb.cert.org/vuls/id/987798) then the man in the middle >> >> checks the size of the SSL payload, not the body content length. >> > That is not correct. >> > >> > The description notes: >> > "To recover a particular secret in an HTTPS response body, the attacker >> > guesses character by character, sending a pair of requests for each >> guess. >> > The correct guess will result in a smaller HTTPS response." >> > >> > But your initial idea is still valid. You just need to inject your >> random >> > content in the response body and among the headers. >> > >> > Ahoj, >> > >> > Christian >> > >> > >> > >> >> As the header is part of the SSL payload, varying the header would >> alter >> >> the SSL payload size and therefore blind the MITM :-) >> >> >> >> Cheers, >> >> >> >> Hans >> >> >> >> Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: >> >>> On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... >> >>> <mailto:han...@xs...> <han...@xs... >> >>> <mailto:han...@xs...>> wrote: >> >>> >> >>> Josh, >> >>> >> >>> thanks for your answer. >> >>> >> >>> The number of x's should be random (say between 1 and 80) to >> >>> ensure that the response size differs (its an attempt to tackle >> >>> the BREACH SSL attack ;-)) >> >>> >> >>> >> >>> Hi Hans, >> >>> >> >>> I may be completely off but injecting a random header value does not >> >>> effect the content-length value. I think you need to inject a random >> >>> number of bytes to the response body. >> >>> >> >>> -- >> >>> - Josh >> >>> >> >>> >> >>> The setenv seems to be doable by exec-ing a lua script, but I was >> >>> wondering if there was a cleaner way. >> >>> >> >>> Cheers, >> >>> >> >>> Hans >> >>> >> >>> >> >>> >> >>> >> >>> Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: >> >>>> On Wed, Aug 7, 2013 at 7:30 PM, han...@xs... >> >>>> <mailto:han...@xs...> <han...@xs... >> >>>> <mailto:han...@xs...>> wrote: >> >>>> >> >>>> Hi, >> >>>> >> >>>> I'm rather new to mod_security >> >>>> >> >>>> I'd like to insert a variable sized header on responses >> >>>> >> >>>> e.g: >> >>>> X-padding: xxxx >> >>>> or >> >>>> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> >>>> etc >> >>>> >> >>>> where the number of x-s randomly differs per response. >> >>>> >> >>>> Is this possible with a standard rule or would I need to >> >>>> define a custom >> >>>> function for this ? >> >>>> >> >>>> >> >>>> Hi Hans, >> >>>> >> >>>> How do you decide how many x's are appropriate for each >> response? >> >>>> Depending on the implementation, you could use a combination of >> >>>> the ModSecurity setenv action and a ModHeaders rule to inject >> the >> >>>> header. >> >>>> >> >>>> -- >> >>>> - Josh >> >>>> >> >>>> >> >>>> KR, >> >>>> Hans >> >>>> >> >>>> >> >>>> >> ------------------------------------------------------------------------------ >> >>>> Get 100% visibility into Java/.NET code with AppDynamics >> Lite! >> >>>> It's a free troubleshooting tool designed for production. >> >>>> Get down to code-level detail for bottlenecks, with <2% >> >>>> overhead. >> >>>> Download for free and get started troubleshooting in >> minutes. >> >>>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>>> _______________________________________________ >> >>>> mod-security-users mailing list >> >>>> mod...@li... >> >>>> <mailto:mod...@li...> >> >>>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>>> Commercial ModSecurity Rules and Support from Trustwave's >> >>>> SpiderLabs: >> >>>> http://www.modsecurity.org/projects/commercial/rules/ >> >>>> http://www.modsecurity.org/projects/commercial/support/ >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> ------------------------------------------------------------------------------ >> >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> >>>> It's a free troubleshooting tool designed for production. >> >>>> Get down to code-level detail for bottlenecks, with <2% >> overhead. >> >>>> Download for free and get started troubleshooting in minutes. >> >>>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>>> >> >>>> >> >>>> _______________________________________________ >> >>>> mod-security-users mailing list >> >>>> mod...@li... >> >>>> <mailto:mod...@li...> >> >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>>> Commercial ModSecurity Rules and Support from Trustwave's >> >>>> SpiderLabs: >> >>>> http://www.modsecurity.org/projects/commercial/rules/ >> >>>> http://www.modsecurity.org/projects/commercial/support/ >> >>> >> >>> >> ------------------------------------------------------------------------------ >> >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> >>> It's a free troubleshooting tool designed for production. >> >>> Get down to code-level detail for bottlenecks, with <2% overhead. >> >>> Download for free and get started troubleshooting in minutes. >> >>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>> _______________________________________________ >> >>> mod-security-users mailing list >> >>> mod...@li... >> >>> <mailto:mod...@li...> >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>> Commercial ModSecurity Rules and Support from Trustwave's >> >>> SpiderLabs: >> >>> http://www.modsecurity.org/projects/commercial/rules/ >> >>> http://www.modsecurity.org/projects/commercial/support/ >> >>> >> >>> >> >>> >> >>> >> >>> >> ------------------------------------------------------------------------------ >> >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> >>> It's a free troubleshooting tool designed for production. >> >>> Get down to code-level detail for bottlenecks, with <2% overhead. >> >>> Download for free and get started troubleshooting in minutes. >> >>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>> >> >>> >> >>> _______________________________________________ >> >>> mod-security-users mailing list >> >>> mod...@li... >> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> >>> http://www.modsecurity.org/projects/commercial/rules/ >> >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------------------------ >> >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> >> It's a free troubleshooting tool designed for production. >> >> Get down to code-level detail for bottlenecks, with <2% overhead. >> >> Download for free and get started troubleshooting in minutes. >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ >> >> mod-security-users mailing list >> >> mod...@li... >> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> >> http://www.modsecurity.org/projects/commercial/rules/ >> >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> > >> > >> > >> ------------------------------------------------------------------------------ >> > Get 100% visibility into Java/.NET code with AppDynamics Lite! >> > It's a free troubleshooting tool designed for production. >> > Get down to code-level detail for bottlenecks, with <2% overhead. >> > Download for free and get started troubleshooting in minutes. >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > |
From: Aaron B. <aam...@ui...> - 2013-08-09 14:43:03
|
Hi Hans, I found the information in Ivan Ristic's article here: http://www.net-security.org/article.php?id=1869&p=1 to be very informative. He has several suggestions on how to mitigate the attack. Hope you find it helpful. Aaron On Wed, Aug 7, 2013 at 12:30 PM, han...@xs... < han...@xs...> wrote: > Hi, > > I'm rather new to mod_security > > I'd like to insert a variable sized header on responses > > e.g: > X-padding: xxxx > or > X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > etc > > where the number of x-s randomly differs per response. > > Is this possible with a standard rule or would I need to define a custom > function for this ? > > KR, > Hans > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: <han...@xs...> - 2013-08-09 15:25:01
|
Aaron, thanks for the hint, I found it myself last night. Very informative indeed :-) Thx again, Hans Op 9-8-2013 15:51, Aaron Brown schreef: > Hi Hans, > > I found the information in Ivan Ristic's article here: > http://www.net-security.org/article.php?id=1869&p=1 to be very > informative. He has several suggestions on how to mitigate the > attack. Hope you find it helpful. > > Aaron > > > On Wed, Aug 7, 2013 at 12:30 PM, han...@xs... > <mailto:han...@xs...> <han...@xs... > <mailto:han...@xs...>> wrote: > > Hi, > > I'm rather new to mod_security > > I'd like to insert a variable sized header on responses > > e.g: > X-padding: xxxx > or > X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > etc > > where the number of x-s randomly differs per response. > > Is this possible with a standard rule or would I need to define a > custom > function for this ? > > KR, > Hans > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <han...@xs...> - 2013-08-09 15:26:51
|
Brian, thx for the comments. I'm interested too :-) For now, as its a hobby project for me, I'm trying to get a working mod_headers/mod_security setup to test it out ;-) Cheers, Hans Op 9-8-2013 15:54, Brian Rectanus schreef: > Although, replying to myself here, Adding x's to the header may still > work ok as you will not have to worry about the x's being compressed > (negating the size fluctuation) when adjusting the payload size > (providing SSL compression is disabled, which you should be doing to > mitigate). I'd be interested to hear about your success with this (or > lack thereof, heh). > > -B > > > On Fri, Aug 9, 2013 at 6:28 AM, Brian Rectanus <bre...@gm... > <mailto:bre...@gm...>> wrote: > > I believe the issue is HTTP compression, not that the attacker can > see the payload. Compression is performed only on the body in > HTTP and why matching guesses make the response smaller. That is, > if your guess matches bytes in the body, then the compression > ratio is higher (payload smaller) due to similar bytes of a > correct guess. > > In addition, to make this work well, you need to inject arbitrary > bytes, not just x's. You need some, but not all the random bytes > to match the secret so that the compressed size fluctuates enough > to render the attack much more difficult. > > It is in interesting idea. I'd suggest adding a much larger > payload of random bytes that match the secret that you are trying > to protect. > > Cheers, > -B > > > > On Fri, Aug 9, 2013 at 12:04 AM, han...@xs... > <mailto:han...@xs...> <han...@xs... > <mailto:han...@xs...>> wrote: > > Christian, > > I might be wrong, but if the MITM is able to separate the HTTP > response > body from the HTTP header then he has already broken the SSL > tunnel. So > why bother trying to guess the content then when the attacker > can read > it in plain text ? > > The way I read it, the attacker has access to another part of the > browser (window, iframe) and is able to inject calls to the > target site, > but is not able to view the secured data. Therefore he also > needs to be > able to intercept the SSL payload and compare it to the > spoofed payload. > And since header and body travel together it should not matter > whether > the random bytes are added to header or body. > > But again I could be wrong ;-) > > Cheers, > Hans > ps. if the attacker is already in the middle and is able to > instruct the > browser, he can also instruct the browser to dowload a trojan, > but thats > a different topic ;-) > > > > > Op 9-8-2013 8:32, Christian Folini schreef: > > Hey Hans, > > > > On Fri, August 9, 2013 7:21 am, han...@xs... > <mailto:han...@xs...> wrote: > >> You are right that the header won't affect the content > length of the body. > >> However if I read the description of the attack > >> (http://www.kb.cert.org/vuls/id/987798) then the man in the > middle > >> checks the size of the SSL payload, not the body content > length. > > That is not correct. > > > > The description notes: > > "To recover a particular secret in an HTTPS response body, > the attacker > > guesses character by character, sending a pair of requests > for each guess. > > The correct guess will result in a smaller HTTPS response." > > > > But your initial idea is still valid. You just need to > inject your random > > content in the response body and among the headers. > > > > Ahoj, > > > > Christian > > > > > > > >> As the header is part of the SSL payload, varying the > header would alter > >> the SSL payload size and therefore blind the MITM :-) > >> > >> Cheers, > >> > >> Hans > >> > >> Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: > >>> On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... > <mailto:han...@xs...> > >>> <mailto:han...@xs... > <mailto:han...@xs...>> <han...@xs... > <mailto:han...@xs...> > >>> <mailto:han...@xs... > <mailto:han...@xs...>>> wrote: > >>> > >>> Josh, > >>> > >>> thanks for your answer. > >>> > >>> The number of x's should be random (say between 1 and > 80) to > >>> ensure that the response size differs (its an attempt > to tackle > >>> the BREACH SSL attack ;-)) > >>> > >>> > >>> Hi Hans, > >>> > >>> I may be completely off but injecting a random header > value does not > >>> effect the content-length value. I think you need to > inject a random > >>> number of bytes to the response body. > >>> > >>> -- > >>> - Josh > >>> > >>> > >>> The setenv seems to be doable by exec-ing a lua > script, but I was > >>> wondering if there was a cleaner way. > >>> > >>> Cheers, > >>> > >>> Hans > >>> > >>> > >>> > >>> > >>> Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: > >>>> On Wed, Aug 7, 2013 at 7:30 PM, > han...@xs... <mailto:han...@xs...> > >>>> <mailto:han...@xs... > <mailto:han...@xs...>> <han...@xs... > <mailto:han...@xs...> > >>>> <mailto:han...@xs... > <mailto:han...@xs...>>> wrote: > >>>> > >>>> Hi, > >>>> > >>>> I'm rather new to mod_security > >>>> > >>>> I'd like to insert a variable sized header on > responses > >>>> > >>>> e.g: > >>>> X-padding: xxxx > >>>> or > >>>> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> etc > >>>> > >>>> where the number of x-s randomly differs per > response. > >>>> > >>>> Is this possible with a standard rule or would I > need to > >>>> define a custom > >>>> function for this ? > >>>> > >>>> > >>>> Hi Hans, > >>>> > >>>> How do you decide how many x's are appropriate for > each response? > >>>> Depending on the implementation, you could use a > combination of > >>>> the ModSecurity setenv action and a ModHeaders rule > to inject the > >>>> header. > >>>> > >>>> -- > >>>> - Josh > >>>> > >>>> > >>>> KR, > >>>> Hans > >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Get 100% visibility into Java/.NET code with > AppDynamics Lite! > >>>> It's a free troubleshooting tool designed for > production. > >>>> Get down to code-level detail for bottlenecks, > with <2% > >>>> overhead. > >>>> Download for free and get started > troubleshooting in minutes. > >>>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>>> _______________________________________________ > >>>> mod-security-users mailing list > >>>> mod...@li... > <mailto:mod...@li...> > >>>> <mailto:mod...@li... > <mailto:mod...@li...>> > >>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>>> Commercial ModSecurity Rules and Support from > Trustwave's > >>>> SpiderLabs: > >>>> http://www.modsecurity.org/projects/commercial/rules/ > >>>> http://www.modsecurity.org/projects/commercial/support/ > >>>> > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Get 100% visibility into Java/.NET code with > AppDynamics Lite! > >>>> It's a free troubleshooting tool designed for > production. > >>>> Get down to code-level detail for bottlenecks, with > <2% overhead. > >>>> Download for free and get started troubleshooting in > minutes. > >>>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>>> > >>>> > >>>> _______________________________________________ > >>>> mod-security-users mailing list > >>>> mod...@li... > <mailto:mod...@li...> > >>>> <mailto:mod...@li... > <mailto:mod...@li...>> > >>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>>> Commercial ModSecurity Rules and Support from > Trustwave's > >>>> SpiderLabs: > >>>> http://www.modsecurity.org/projects/commercial/rules/ > >>>> http://www.modsecurity.org/projects/commercial/support/ > >>> > >>> > ------------------------------------------------------------------------------ > >>> Get 100% visibility into Java/.NET code with > AppDynamics Lite! > >>> It's a free troubleshooting tool designed for production. > >>> Get down to code-level detail for bottlenecks, with > <2% overhead. > >>> Download for free and get started troubleshooting in > minutes. > >>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > <mailto:mod...@li...> > >>> <mailto:mod...@li... > <mailto:mod...@li...>> > >>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> Commercial ModSecurity Rules and Support from Trustwave's > >>> SpiderLabs: > >>> http://www.modsecurity.org/projects/commercial/rules/ > >>> http://www.modsecurity.org/projects/commercial/support/ > >>> > >>> > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> Get 100% visibility into Java/.NET code with AppDynamics Lite! > >>> It's a free troubleshooting tool designed for production. > >>> Get down to code-level detail for bottlenecks, with <2% > overhead. > >>> Download for free and get started troubleshooting in minutes. > >>> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >>> > >>> > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > <mailto:mod...@li...> > >>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > >>> http://www.modsecurity.org/projects/commercial/rules/ > >>> http://www.modsecurity.org/projects/commercial/support/ > >> > ------------------------------------------------------------------------------ > >> Get 100% visibility into Java/.NET code with AppDynamics Lite! > >> It's a free troubleshooting tool designed for production. > >> Get down to code-level detail for bottlenecks, with <2% > overhead. > >> Download for free and get started troubleshooting in minutes. > >> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > <mailto:mod...@li...> > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > >> > > > > > > > ------------------------------------------------------------------------------ > > Get 100% visibility into Java/.NET code with AppDynamics Lite! > > It's a free troubleshooting tool designed for production. > > Get down to code-level detail for bottlenecks, with <2% > overhead. > > Download for free and get started troubleshooting in minutes. > > > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > <mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <han...@xs...> - 2013-08-09 19:39:08
|
Ok, think I'm almost there now but somehow I can't get the Lua handover to work, I have: Header set X-blabla "blablah" SecRuleEngine On #SecAction id:'007',exec:conf/breachheader.lua,setenv:randomstring=%{randomstring} SecAction id:'007',exec:conf/breachheader.lua,setenv:randomstring= Header set X-breach-protection "%{randomstring}e" and the lua source is: function main() randomstring=string.rep('a',math.random(80)) m.log(0,"1-breachheader.lua "..randomstring) m.setvar("randomstring",randomstring) m.log(0,"2-breachheader.lua"..randomstring) end The errorlog shows: [Fri Aug 09 21:09:44.303033 2013] [:error] [pid 2660:tid 996] [client ::1] ModSecurity: Warning. Unconditional match in SecAction. [file "C:/Users/klunderhjaa/Downloads/httpd-2.4.6-win32/Apache24/conf/extra/mod-security.conf"] [line "4"] [id "007"] [hostname "localhost"] [uri "/"] [unique_id "UgU@eMCosh0AAApkUXQAAAAp"] [Fri Aug 09 21:21:52.574687 2013] [:error] [pid 2660:tid 996] [client ::1] ModSecurity: 1-breachheader.lua aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [hostname "localhost"] [uri "/"] [unique_id "UgVBUMCosh0AAApkUXUAAAAp"] [Fri Aug 09 21:21:52.575687 2013] [:error] [pid 2660:tid 996] [client ::1] ModSecurity: Warning. Unconditional match in SecAction. [file "C:/Users/klunderhjaa/Downloads/httpd-2.4.6-win32/Apache24/conf/extra/mod-security.conf"] [line "4"] [id "007"] [hostname "localhost"] [uri "/"] [unique_id "UgVBUMCosh0AAApkUXUAAAAp"] [Fri Aug 09 21:21:53.893763 2013] [:error] [pid 2660:tid 996] [client ::1] ModSecurity: 1-breachheader.lua aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [hostname "localhost"] [uri "/"] [unique_id "UgVBUcCosh0AAApkUXYAAAAp"] so the random string is being generated, however the second logline is never reached ?!? The headers are generated: X-blabla: blablah X-breach-protection: 1 But as soon as I try to put the var into the setenv by doing: SecAction id:'007',exec:conf/breachheader.lua,setenv:randomstring=%{randomstring} #SecAction id:'007',exec:conf/breachheader.lua,setenv:randomstring= then the environment variable stays empty and the header is suppressed. Any help is much appreciated :-) Cheers, Hans Op 9-8-2013 17:26, han...@xs... schreef: > Brian, > > thx for the comments. I'm interested too :-) > For now, as its a hobby project for me, I'm trying to get a working > mod_headers/mod_security setup to test it out ;-) > > Cheers, > > Hans > > Op 9-8-2013 15:54, Brian Rectanus schreef: >> Although, replying to myself here, Adding x's to the header may still >> work ok as you will not have to worry about the x's being compressed >> (negating the size fluctuation) when adjusting the payload size >> (providing SSL compression is disabled, which you should be doing to >> mitigate). I'd be interested to hear about your success with this >> (or lack thereof, heh). >> >> -B >> >> >> On Fri, Aug 9, 2013 at 6:28 AM, Brian Rectanus <bre...@gm... >> <mailto:bre...@gm...>> wrote: >> >> I believe the issue is HTTP compression, not that the attacker >> can see the payload. Compression is performed only on the body >> in HTTP and why matching guesses make the response smaller. That >> is, if your guess matches bytes in the body, then the compression >> ratio is higher (payload smaller) due to similar bytes of a >> correct guess. >> >> In addition, to make this work well, you need to inject arbitrary >> bytes, not just x's. You need some, but not all the random bytes >> to match the secret so that the compressed size fluctuates enough >> to render the attack much more difficult. >> >> It is in interesting idea. I'd suggest adding a much larger >> payload of random bytes that match the secret that you are trying >> to protect. >> >> Cheers, >> -B >> >> >> >> On Fri, Aug 9, 2013 at 12:04 AM, han...@xs... >> <mailto:han...@xs...> <han...@xs... >> <mailto:han...@xs...>> wrote: >> >> Christian, >> >> I might be wrong, but if the MITM is able to separate the >> HTTP response >> body from the HTTP header then he has already broken the SSL >> tunnel. So >> why bother trying to guess the content then when the attacker >> can read >> it in plain text ? >> >> The way I read it, the attacker has access to another part of the >> browser (window, iframe) and is able to inject calls to the >> target site, >> but is not able to view the secured data. Therefore he also >> needs to be >> able to intercept the SSL payload and compare it to the >> spoofed payload. >> And since header and body travel together it should not >> matter whether >> the random bytes are added to header or body. >> >> But again I could be wrong ;-) >> >> Cheers, >> Hans >> ps. if the attacker is already in the middle and is able to >> instruct the >> browser, he can also instruct the browser to dowload a >> trojan, but thats >> a different topic ;-) >> >> >> >> >> Op 9-8-2013 8:32, Christian Folini schreef: >> > Hey Hans, >> > >> > On Fri, August 9, 2013 7:21 am, han...@xs... >> <mailto:han...@xs...> wrote: >> >> You are right that the header won't affect the content >> length of the body. >> >> However if I read the description of the attack >> >> (http://www.kb.cert.org/vuls/id/987798) then the man in >> the middle >> >> checks the size of the SSL payload, not the body content >> length. >> > That is not correct. >> > >> > The description notes: >> > "To recover a particular secret in an HTTPS response body, >> the attacker >> > guesses character by character, sending a pair of requests >> for each guess. >> > The correct guess will result in a smaller HTTPS response." >> > >> > But your initial idea is still valid. You just need to >> inject your random >> > content in the response body and among the headers. >> > >> > Ahoj, >> > >> > Christian >> > >> > >> > >> >> As the header is part of the SSL payload, varying the >> header would alter >> >> the SSL payload size and therefore blind the MITM :-) >> >> >> >> Cheers, >> >> >> >> Hans >> >> >> >> Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef: >> >>> On Wed, Aug 7, 2013 at 11:02 PM, han...@xs... >> <mailto:han...@xs...> >> >>> <mailto:han...@xs... >> <mailto:han...@xs...>> <han...@xs... >> <mailto:han...@xs...> >> >>> <mailto:han...@xs... >> <mailto:han...@xs...>>> wrote: >> >>> >> >>> Josh, >> >>> >> >>> thanks for your answer. >> >>> >> >>> The number of x's should be random (say between 1 >> and 80) to >> >>> ensure that the response size differs (its an >> attempt to tackle >> >>> the BREACH SSL attack ;-)) >> >>> >> >>> >> >>> Hi Hans, >> >>> >> >>> I may be completely off but injecting a random header >> value does not >> >>> effect the content-length value. I think you need to >> inject a random >> >>> number of bytes to the response body. >> >>> >> >>> -- >> >>> - Josh >> >>> >> >>> >> >>> The setenv seems to be doable by exec-ing a lua >> script, but I was >> >>> wondering if there was a cleaner way. >> >>> >> >>> Cheers, >> >>> >> >>> Hans >> >>> >> >>> >> >>> >> >>> >> >>> Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef: >> >>>> On Wed, Aug 7, 2013 at 7:30 PM, >> han...@xs... <mailto:han...@xs...> >> >>>> <mailto:han...@xs... >> <mailto:han...@xs...>> <han...@xs... >> <mailto:han...@xs...> >> >>>> <mailto:han...@xs... >> <mailto:han...@xs...>>> wrote: >> >>>> >> >>>> Hi, >> >>>> >> >>>> I'm rather new to mod_security >> >>>> >> >>>> I'd like to insert a variable sized header on >> responses >> >>>> >> >>>> e.g: >> >>>> X-padding: xxxx >> >>>> or >> >>>> X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> >>>> etc >> >>>> >> >>>> where the number of x-s randomly differs per >> response. >> >>>> >> >>>> Is this possible with a standard rule or would >> I need to >> >>>> define a custom >> >>>> function for this ? >> >>>> >> >>>> >> >>>> Hi Hans, >> >>>> >> >>>> How do you decide how many x's are appropriate for >> each response? >> >>>> Depending on the implementation, you could use a >> combination of >> >>>> the ModSecurity setenv action and a ModHeaders rule >> to inject the >> >>>> header. >> >>>> >> >>>> -- >> >>>> - Josh >> >>>> >> >>>> >> >>>> KR, >> >>>> Hans >> >>>> >> >>>> >> >>>> >> ------------------------------------------------------------------------------ >> >>>> Get 100% visibility into Java/.NET code with >> AppDynamics Lite! >> >>>> It's a free troubleshooting tool designed for >> production. >> >>>> Get down to code-level detail for bottlenecks, >> with <2% >> >>>> overhead. >> >>>> Download for free and get started >> troubleshooting in minutes. >> >>>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>>> _______________________________________________ >> >>>> mod-security-users mailing list >> >>>> mod...@li... >> <mailto:mod...@li...> >> >>>> >> <mailto:mod...@li... >> <mailto:mod...@li...>> >> >>>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>>> Commercial ModSecurity Rules and Support from >> Trustwave's >> >>>> SpiderLabs: >> >>>> http://www.modsecurity.org/projects/commercial/rules/ >> >>>> http://www.modsecurity.org/projects/commercial/support/ >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> ------------------------------------------------------------------------------ >> >>>> Get 100% visibility into Java/.NET code with >> AppDynamics Lite! >> >>>> It's a free troubleshooting tool designed for >> production. >> >>>> Get down to code-level detail for bottlenecks, with >> <2% overhead. >> >>>> Download for free and get started troubleshooting >> in minutes. >> >>>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>>> >> >>>> >> >>>> _______________________________________________ >> >>>> mod-security-users mailing list >> >>>> mod...@li... >> <mailto:mod...@li...> >> >>>> <mailto:mod...@li... >> <mailto:mod...@li...>> >> >>>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>>> Commercial ModSecurity Rules and Support from >> Trustwave's >> >>>> SpiderLabs: >> >>>> http://www.modsecurity.org/projects/commercial/rules/ >> >>>> http://www.modsecurity.org/projects/commercial/support/ >> >>> >> >>> >> ------------------------------------------------------------------------------ >> >>> Get 100% visibility into Java/.NET code with >> AppDynamics Lite! >> >>> It's a free troubleshooting tool designed for >> production. >> >>> Get down to code-level detail for bottlenecks, with >> <2% overhead. >> >>> Download for free and get started troubleshooting in >> minutes. >> >>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>> _______________________________________________ >> >>> mod-security-users mailing list >> >>> mod...@li... >> <mailto:mod...@li...> >> >>> <mailto:mod...@li... >> <mailto:mod...@li...>> >> >>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>> Commercial ModSecurity Rules and Support from >> Trustwave's >> >>> SpiderLabs: >> >>> http://www.modsecurity.org/projects/commercial/rules/ >> >>> http://www.modsecurity.org/projects/commercial/support/ >> >>> >> >>> >> >>> >> >>> >> >>> >> ------------------------------------------------------------------------------ >> >>> Get 100% visibility into Java/.NET code with AppDynamics >> Lite! >> >>> It's a free troubleshooting tool designed for production. >> >>> Get down to code-level detail for bottlenecks, with <2% >> overhead. >> >>> Download for free and get started troubleshooting in minutes. >> >>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >>> >> >>> >> >>> _______________________________________________ >> >>> mod-security-users mailing list >> >>> mod...@li... >> <mailto:mod...@li...> >> >>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >>> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> >>> http://www.modsecurity.org/projects/commercial/rules/ >> >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------------------------ >> >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> >> It's a free troubleshooting tool designed for production. >> >> Get down to code-level detail for bottlenecks, with <2% >> overhead. >> >> Download for free and get started troubleshooting in minutes. >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ >> >> mod-security-users mailing list >> >> mod...@li... >> <mailto:mod...@li...> >> >> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> >> http://www.modsecurity.org/projects/commercial/rules/ >> >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> > >> > >> > >> ------------------------------------------------------------------------------ >> > Get 100% visibility into Java/.NET code with AppDynamics Lite! >> > It's a free troubleshooting tool designed for production. >> > Get down to code-level detail for bottlenecks, with <2% >> overhead. >> > Download for free and get started troubleshooting in minutes. >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> <mailto:mod...@li...> >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |