This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.2"
(added content) |
(→Implementation) |
||
| Line 20: | Line 20: | ||
<pre> | <pre> | ||
# Lesson 2.2; directory traversal in 'File' parameter of POST request | # Lesson 2.2; directory traversal in 'File' parameter of POST request | ||
| − | SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack',tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html" | + | SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack', \ |
| + | tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html" | ||
SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni" | SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni" | ||
</pre> | </pre> | ||
Revision as of 03:51, 20 October 2008
2. Access Control Flaws -> 2.2 Bypass a Path Based Access Control Scheme
Lesson overview
Refer to the zip file with the WebGoat lesson overviews. See Appendix A for more information.
Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.
Strategy
This WebGoat lesson demonstrates access control bypass: a file from a dropdown list is chosen and sent, but intercepted in the web proxy and substituted with '../../../conf/tomcat-users.xml', which reveals tomcat users and passwords.
The solution to this WebGoat lesson is to prevent directory traversal.
Implementation
The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf':
# Lesson 2.2; directory traversal in 'File' parameter of POST request SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack', \ tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html" SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni"
