This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.2"
(added content) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 3: | Line 3: | ||
=== Lesson overview === | === Lesson overview === | ||
| − | + | The WebGoat lesson overview is included with the WebGoat lesson solution. | |
=== Lesson solution === | === Lesson solution === | ||
| Line 20: | Line 20: | ||
<pre> | <pre> | ||
# Lesson 2.2; directory traversal in 'File' parameter of POST request | # Lesson 2.2; directory traversal in 'File' parameter of POST request | ||
| − | SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack',tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html" | + | SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack', \ |
| + | tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html" | ||
SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni" | SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni" | ||
</pre> | </pre> | ||
Latest revision as of 07:47, 21 October 2008
2. Access Control Flaws -> 2.2 Bypass a Path Based Access Control Scheme
Lesson overview
The WebGoat lesson overview is included with the WebGoat lesson solution.
Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.
Strategy
This WebGoat lesson demonstrates access control bypass: a file from a dropdown list is chosen and sent, but intercepted in the web proxy and substituted with '../../../conf/tomcat-users.xml', which reveals tomcat users and passwords.
The solution to this WebGoat lesson is to prevent directory traversal.
Implementation
The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf':
# Lesson 2.2; directory traversal in 'File' parameter of POST request SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack', \ tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html" SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni"
