This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.2"
(→Implementation) |
|||
| Line 3: | Line 3: | ||
=== Lesson overview === | === Lesson overview === | ||
| − | + | The WebGoat lesson overview is included with the WebGoat lesson solution. | |
=== Lesson solution === | === Lesson solution === | ||
Latest revision as of 07:47, 21 October 2008
2. Access Control Flaws -> 2.2 Bypass a Path Based Access Control Scheme
Lesson overview
The WebGoat lesson overview is included with the WebGoat lesson solution.
Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.
Strategy
This WebGoat lesson demonstrates access control bypass: a file from a dropdown list is chosen and sent, but intercepted in the web proxy and substituted with '../../../conf/tomcat-users.xml', which reveals tomcat users and passwords.
The solution to this WebGoat lesson is to prevent directory traversal.
Implementation
The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf':
# Lesson 2.2; directory traversal in 'File' parameter of POST request SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack', \ tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html" SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni"
