Thread: [mod-security-users] tracking user sessions
Brought to you by:
victorhora,
zimmerletw
From: Roger M. <rog...@gm...> - 2009-02-18 08:30:22
|
I want to use mod-security to verify that certain business logic has been applied on my app, meaning I want to verify that a user has requested script A.php then B.php before requesting C.php? Also in a feeble attempt to verify that the requests are not automated, is it possible to verify that X seconds passed between each request? Can someone point me to rule examples that implement either of these? Thanks - Roger |
From: Christian B. <ch...@jw...> - 2009-02-18 10:38:34
|
Hi Roger, I did some research/implementation on stuff like this a while ago. Basically you can of course combine all the things which have been mentioned earlier on the list to get it right. Given, that you use sessions within your application you can set a mark within the session after a client has called some URL A.php (The following has not been tested, but is similar to a setup I used before): <LocationMatch "^/A.php$"> # # ok, after A.php has been visited, we set a mark in the session and # create another variable which blocks access to B.php that will expire after # 10 seconds... # SecAction "setvar:session.Arequested=1,expirevar:session.Arequested=3600" SecAction "setvar:session.BtimeBlock=1,expirevar:session.BtimeBlock=10" </LocationMatch> <LocationMatch "^/B.php$"> # # If someone requests B.php we first check if he already visited A.php before. This rule will # reject the request if B.php has not been visited in this session # SecRule &SESSION:Arequested "@eq 0" "phase:2,deny,status: 500,msg:'B.php accessed without A.php requested before!,auditlog'" # # If we reach here, we can be sure that the caller has requested A.php before. If the # BtimeBlock variable is still present in the session collection we know that the caller # has accessed A.php no more than 10 seconds ago... # SecRule &SESSION:BtimeBlock "@gt 0" "phase:2,deny,status: 500,msg:'B.php accessed after A.php within < 11 seconds!',auditlog" # # Now we prepare for handling C.php, which follows in the same manner... # SecAction "phase: 2,pass,setvar:session.Brequested=1,expirevar:session.Brequested=3600" SecAction "phase: 2,pass,setvar:session.BCtimeBlock=1,expirevar:session.BCtimeBlock=10" </LocationMatch> <LocationMatch "^/C.php$"> SecRule &SESSION:Brequested "@eq 0" "phase:2,deny,status: 500,msg:'C.php visited without B.php requested before!',auditlog" ... </LocationMatch> I did implement something like this for use in an abstract XML manner (providing an editor for specifying dependencies in XML). Just let me know if this might be interesting for you... Regards, Chris Am 18.02.2009 um 09:30 schrieb Roger Munk: > I want to use mod-security to verify that certain business logic has > been applied on my app, meaning I want to verify that a user has > requested script A.php then B.php before requesting C.php? Also in a > feeble attempt to verify that the requests are not automated, is it > possible to verify that X seconds passed between each request? Can > someone point me to rule examples that implement either of these? > > Thanks > > - Roger > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San > Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the > Enterprise > -Strategies to boost innovation and cut costs with open source > participation > -Receive a $600 discount off the registration fee with the source > code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |