This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.4"
From OWASP
| Line 1: | Line 1: | ||
| − | 2. Access Control Flaws | + | 2. Access Control Flaws -> 2.4 Remote Admin Access |
| − | |||
| − | 2.4 Remote Admin Access | ||
| − | |||
=== Lesson overview === | === Lesson overview === | ||
| − | + | The WebGoat lesson overview is included with the WebGoat lesson solution. | |
=== Lesson solution === | === Lesson solution === | ||
| − | See | + | Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information. |
=== Strategy === | === Strategy === | ||
Revision as of 07:44, 21 October 2008
2. Access Control Flaws -> 2.4 Remote Admin Access
Lesson overview
The WebGoat lesson overview is included with the WebGoat lesson solution.
Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.
Strategy
The solution is to prevent 'admin=true' from appearing in the query string.
Implementation
The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf'.
# Lesson 2.4: Remote Admin Access; don't allow 'admin=true' in the querystring
SecRule &ARGS:admin "!@eq 0" "chain,log,auditlog,deny,\
msg:'Admin Function Attack',tag:'ADMIN_FUNCTION', \
redirect:/_error_pages_/lesson02-4.html"
SecRule ARGS:admin "true" "t:lowercase"
