Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 01.2"

Revision as of 03:14, 20 October 2008

1. General -> 1.2 HTTP Splitting

Lesson overview

Refer to the zip file with the WebGoat lesson solution. See Appendix A for more information.

Lesson solution

Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy

The solution is to prevent carriage returns and line feeds from passing through. ModSecurity ruleset 'modsecurity_crs_40_generic_attacks.conf' already has some rules for an HTTP response splitting attack so they were used. In the second rule, note the transformations urlDecodeUni and htmlEntityDecode.

Implementation

The lesson is mitigated by the ruleset 'rulefile_01_general_http-splitting.conf':

# The first rule is not necessary to solve the WebGoat lesson
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
	"t:lowercase,capture,log,auditlog,deny,severity:3, \ 
msg:'HTTP Response Splitting Attack via URI/Header',logdata:'%{TX.0}', \
tag:'HTTP_SPLITTING',redirect:/_error_pages_/lesson01a.html"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* \
        "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
	"t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,capture,log,auditlog,deny, \
severity:3,msg:'HTTP Response Splitting Attack via args/file name', \
logdata:'%{TX.0}',tag:'HTTP_SPLITTING',redirect:/_error_pages_/lesson01b.html"