mod-security-users

[mod-security-users] CSRF Protection

[Chris D. <chr...@gm...>]

I'm trying to implement CSRF protection in an app based on Ryan's example
from the WAF Patching Challenge Whitepaper. My app uses a dynamic session
token name where only the first four characters (SESS) are static. An
example cookie name is:

SESSbe7bfb0d134fa57e567359f4e62cf41d

The problem I have is how to implement this rule:

SecRule &ARGS "@ge 1" "chain,phase:2,t:none,deny,log,msg:'CSRF Attack
Detected -
Invalid Token.'"
 SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies.jsessionid}"

How do I compare MODSEC_CSRF_TOKEN to a cookie name where I only know the
the first four characters. I tried:

SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies./^SESS/}

but that obviously didn't work. Any ideas how I can do this?

Thanks
  Chris

Re: [mod-security-users] CSRF Protection

[Ryan B. <rya...@br...>]

On Tuesday 23 March 2010 11:16:03 Chris Datfung wrote:
> I'm trying to implement CSRF protection in an app based on Ryan's example
> from the WAF Patching Challenge Whitepaper. My app uses a dynamic session
> token name where only the first four characters (SESS) are static. An
> example cookie name is:
> 
> SESSbe7bfb0d134fa57e567359f4e62cf41d
> 
> The problem I have is how to implement this rule:
> 
> SecRule &ARGS "@ge 1" "chain,phase:2,t:none,deny,log,msg:'CSRF Attack
> Detected - Invalid Token.'"
>  SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies.jsessionid}"
> 
> How do I compare MODSEC_CSRF_TOKEN to a cookie name where I only know the
> the first four characters. I tried:
> 
> SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies./^SESS/}
> 
> but that obviously didn't work. Any ideas how I can do this?
> 
> Thanks
>   Chris

How appropriate as I was getting ready to send out some announcements soon that we will be 
migrating some of the commercial Enhanced Rule Set (ERS) items to the CRS and CSRF 
protection rules are one of them :)

Once I add these rules to the CRS, I will send a note to the OWASP CRS mail-list with 
usage info.

-Ryan

Re: [mod-security-users] [Owasp-modsecurity-core-rule-set] CSRF Protection

[Junyong J. <dre...@gm...>]

Good news. Can you share some information in advance:)

2010/3/23 Ryan Barnett <rya...@br...>

> On Tuesday 23 March 2010 11:16:03 Chris Datfung wrote:
> > I'm trying to implement CSRF protection in an app based on Ryan's example
> > from the WAF Patching Challenge Whitepaper. My app uses a dynamic session
> > token name where only the first four characters (SESS) are static. An
> > example cookie name is:
> >
> > SESSbe7bfb0d134fa57e567359f4e62cf41d
> >
> > The problem I have is how to implement this rule:
> >
> > SecRule &ARGS "@ge 1" "chain,phase:2,t:none,deny,log,msg:'CSRF Attack
> > Detected - Invalid Token.'"
> >  SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies.jsessionid}"
> >
> > How do I compare MODSEC_CSRF_TOKEN to a cookie name where I only know the
> > the first four characters. I tried:
> >
> > SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies./^SESS/}
> >
> > but that obviously didn't work. Any ideas how I can do this?
> >
> > Thanks
> >   Chris
>
> How appropriate as I was getting ready to send out some announcements soon
> that we will be
> migrating some of the commercial Enhanced Rule Set (ERS) items to the CRS
> and CSRF
> protection rules are one of them :)
>
> Once I add these rules to the CRS, I will send a note to the OWASP CRS
> mail-list with
> usage info.
>
> -Ryan
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owa...@li...
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>