This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Section 4: Mitigating the WebGoat lessons"
(→Overall strategy) |
(→Overall strategy) |
||
| Line 44: | Line 44: | ||
<pre> | <pre> | ||
<LocationMatch "^/WebGoat/attack$"> | <LocationMatch "^/WebGoat/attack$"> | ||
| − | # Group 1: the following block pertain to pages that don't have Screen or menu parameters | + | # Group 1: the following block pertain to pages that don't have |
| + | # Screen or menu parameters | ||
1. SecRule &ARGS:Screen "!@eq 0" chain,skipAfter:200 | 1. SecRule &ARGS:Screen "!@eq 0" chain,skipAfter:200 | ||
2. SecRule &ARGS:menu "!@eq 0" "t:none" | 2. SecRule &ARGS:menu "!@eq 0" "t:none" | ||
| + | |||
| + | # Group 2: set session collection if entering WebGoat; POST body parameter | ||
| + | # is "start=Start WebGoat" (Start WebGoat submit button) | ||
| + | 3. SecRule &ARGS_POST:start "@eq 0" "nolog,skip:3" | ||
| + | 4. SecRule ARGS_POST:start "!@streq Start WebGoat" \ | ||
| + | "t:urlDecodeUni,t:htmlEntityDecode,skip:2" | ||
| + | 5. SecRule REQUEST_COOKIES:JSESSIONID "!^$" \ | ||
| + | "chain,log,auditlog,pass,msg:'Setting session collection'" | ||
| + | 6. SecAction setsid:%{REQUEST_COOKIES.JSESSIONID} | ||
| + | 7. SecAction "log,setvar:session.lesson13=0,msg:'setting session.lesson13=0 \ | ||
| + | initially after setsid from rulefile_00-0-initialize.conf'" | ||
| + | |||
| + | 8. SecAction "t:none,allow,id:'200'" | ||
| + | |||
| + | # Group 3: here there should be a 'menu' parameter, so set a variable for | ||
| + | # the menu number that's used if needed in Phase 4 | ||
| + | 9. SecRule ARGS_GET:menu "^(.*)$" "pass,setvar:tx.menu=%{MATCHED_VAR}" | ||
</pre> | </pre> | ||
Revision as of 09:46, 24 July 2008
Project metrics
See Section 2 for the WebGoat lesson Table of Contents, and an overview of the results from doing the WebGoat lessons. Appendix A contains a zip file which is made up of the lesson plans and solutions - in HTML format - which were taken from WebGoat and can be viewed stand-alone.
Out of 51 possible lessons, the following are teaching lessons, not vulnerabilities, and therefore have no context for ModSecurity rules:
- 1.1 Http Basics
- 4.1 Password Strength
- 15.3 Bypass Client Side JavaScript Validation
- 17.1 Create a SOAP Request
Therefore there is a total number of 47 lessons to do; half is 24 so that was the goal of the first 50% of project completion. The lowest hanging fruit was taken first because considerable effort was put into: (1) setup and configuration of the environment; (2) getting familiar with WebGoat and taking all of the lessons; (3) learning ModSecurity (and Remo); (4) re-learning regular expressions; (5) learning Lua script; and (6) developing an efficient work methodology.
The total number of sublessons mitigated by ModSecurity rules: 25 - thereby achieving the goal of at least 50% of sublessons mitigated.
They are:
- Sublesson 1.2
- Sublesson 2.4
- Sublessons 4.2, 4.4, 4.5
- Sublesson 6.1
- Sublessons 8.1, 8.2, 8.4, 8.5, 8.7
- Sublesson 10.1
- Sublessons 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.8
- Sublesson 13.1
- Sublessons 15.1, 15.2
- Sublessons 17.3, 17.4
Overall strategy
4.2 Overall strategy
The intention of mitigating the vulnerabilities is to demonstrate the largest variety of mitigating solutions and features of ModSecurity as possible: - Some lessons are solved using the easiest way possible for convenience (and to count towards achieving the goal of 50% complete!) - Some lessons are solved by using rules from the core rulesets provided by Breach Security - Some mitigating solutions are meant to be global, meaning being in effect at all times, like the XSS and Command Injection core rules from Breach Security - One lesson demonstrates the use of a session variable - Some lessons require persistence beyond what is offered by ModSecurity; Lua scripts are used to achieve this - Some lessons require a more robust capability than ModSecurity's regular expressions, 'and/or' logical mechanisms, and goto statements (skip and skipAfter); again, Lua scripts are used to achieve this. - One lesson uses the 'append' action to append Javascript to the end of a response body, which alters the content and behavior of the HTML page
The rulesets can be used all together or, for a specific WebGoat sublesson, the initialization file (rulefile_00_initialize.conf) plus that sublesson's ruleset can be used.
The best way to open the discussion about the overall strategy used is to show a chunk of the initialization file:
<LocationMatch "^/WebGoat/attack$">
# Group 1: the following block pertain to pages that don't have
# Screen or menu parameters
1. SecRule &ARGS:Screen "!@eq 0" chain,skipAfter:200
2. SecRule &ARGS:menu "!@eq 0" "t:none"
# Group 2: set session collection if entering WebGoat; POST body parameter
# is "start=Start WebGoat" (Start WebGoat submit button)
3. SecRule &ARGS_POST:start "@eq 0" "nolog,skip:3"
4. SecRule ARGS_POST:start "!@streq Start WebGoat" \
"t:urlDecodeUni,t:htmlEntityDecode,skip:2"
5. SecRule REQUEST_COOKIES:JSESSIONID "!^$" \
"chain,log,auditlog,pass,msg:'Setting session collection'"
6. SecAction setsid:%{REQUEST_COOKIES.JSESSIONID}
7. SecAction "log,setvar:session.lesson13=0,msg:'setting session.lesson13=0 \
initially after setsid from rulefile_00-0-initialize.conf'"
8. SecAction "t:none,allow,id:'200'"
# Group 3: here there should be a 'menu' parameter, so set a variable for
# the menu number that's used if needed in Phase 4
9. SecRule ARGS_GET:menu "^(.*)$" "pass,setvar:tx.menu=%{MATCHED_VAR}"
