This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 01.2"
From OWASP
(→Implementation) |
(→Strategy) |
||
| Line 9: | Line 9: | ||
=== Strategy === | === Strategy === | ||
| − | The solution is to prevent carriage returns and line feeds from passing through. ModSecurity ruleset 'modsecurity_crs_40_generic_attacks.conf' already has some rules for an HTTP response splitting attack so they were used. In the second rule, note the transformations | + | The solution is to prevent carriage returns and line feeds from passing through. ModSecurity ruleset 'modsecurity_crs_40_generic_attacks.conf' already has some rules for an HTTP response splitting attack so they were used. In the second rule, note the transformations <font face="Courier New">urlDecodeUni</font> and <font face="Courier New">htmlEntityDecode</font>. |
=== Implementation === | === Implementation === | ||
Revision as of 11:05, 24 July 2008
Lesson overview
See [relative path].
Lesson solution
See [relative path].
Strategy
The solution is to prevent carriage returns and line feeds from passing through. ModSecurity ruleset 'modsecurity_crs_40_generic_attacks.conf' already has some rules for an HTTP response splitting attack so they were used. In the second rule, note the transformations urlDecodeUni and htmlEntityDecode.
Implementation
The lesson is mitigated by the ruleset 'rulefile_01_general_http-splitting.conf':
# The first rule is not necessary to solve the WebGoat lesson
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
"t:lowercase,capture,log,auditlog,deny,severity:3, \
msg:'HTTP Response Splitting Attack via URI/Header',logdata:'%{TX.0}', \
tag:'HTTP_SPLITTING',redirect:/_error_pages_/lesson01a.html"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* \
"(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,capture,log,auditlog,deny, \
severity:3,msg:'HTTP Response Splitting Attack via args/file name', \
logdata:'%{TX.0}',tag:'HTTP_SPLITTING',redirect:/_error_pages_/lesson01b.html"
