This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 10.1"
(add content) |
|||
| Line 1: | Line 1: | ||
| − | + | 10. Improper Error Handling -> 10.1 Fail Open Authentication Scheme | |
| − | 10. Improper Error Handling | ||
| − | |||
| − | 10.1 Fail Open Authentication Scheme | ||
=== Lesson overview === | === Lesson overview === | ||
| − | + | The WebGoat lesson overview is included with the WebGoat lesson solution. | |
=== Lesson solution === | === Lesson solution === | ||
| − | See | + | Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information. |
=== Strategy === | === Strategy === | ||
Latest revision as of 08:02, 21 October 2008
10. Improper Error Handling -> 10.1 Fail Open Authentication Scheme
Lesson overview
The WebGoat lesson overview is included with the WebGoat lesson solution.
Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.
Strategy
This lessons demonstrates a fail open vulnerability in that when the 'Password' parameter in the POST body is removed entirely, the user is authenticated. To mitigate this, a straightforward pinpoint strategy was used.
Implementation
The lesson is mitigated by the ruleset 'rulefile_10_improper-error-handling.conf':
SecRule ARGS:menu "!@eq 1100" "t:none,pass,skip:2"
SecRule &ARGS:Password "@eq 0" "t:none,deny,severity:3, \
msg:'Post parameter Password is mandatory, but it is not present in request.', \
tag:'AUTHENTICATION',redirect:/_error_pages_/lesson10-1.html"
SecAction "allow:request,t:none, \
msg:'Returning; nothing bad on this page (rulefile_10-1).'"
Note that it is perfectly acceptable - and probably preferable - to use '&ARGS_POST:Password' instead of '&ARGS:Password'.
