This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSecurity Securing WebGoat Section4 Sublesson 17.3 17.4

From OWASP
Revision as of 17:17, 24 July 2008 by Stephen Evans (talk | contribs) (add content)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

17. Web Services

17.3 Web Service SAX Injection

17.4 Web Service SQL Injection

Lesson overviews

See [relative paths].

Lesson solutions

See [relative paths].

Strategy

Mitigating these 2 lessons is done with a whitelist, using pinpoint strategy.

Implementation

The lesson is mitigated by the ruleset and the solution is self-explanatory: 

<LocationMatch "^/WebGoat/attack$">

  # 'menu=1800'
  SecRule ARGS:menu "!@eq 1800" "t:none,pass,skipAfter:170"

  # The following rule is for lesson '17.4 WS SQL Injection'.
  # The regex is a whitelist only for this particular lesson and for 
  #   the 'account number' parameter. The criteria is that only digits and no 
  #   spaces or special chars are allowed. Modify the regex if something like 
  #   '-' is allowable.
  SecRule &ARGS_POST:SUBMIT "@eq 0" "nolog,skip:4"
  SecRule ARGS_POST:SUBMIT "!@streq Go!" "nolog,skip:3"
  SecRule &ARGS_POST:account_number "@eq 0" "nolog,skip:2"
  SecRule ARGS_POST:account_number "^([0-9]+)$" \ 
    "t:urlDecodeUni,t:htmlEntityDecode,allow:request,skip:1"
  SecAction "deny,log,auditlog,msg:'WS SQL Injection', \ 
    tag:'Returning from 17.4 WS SQL Injection (rulefile_17).', \ 
    severity:'3',redirect:/_error_pages_/lesson17-4.html"

  # The following rule is for lesson '17.3 SAX Injection'.
  # The regex is a whitelist only for this particular lesson and 
  #   for the 'password' parameter. The criteria is that no spaces are allowed.
  SecRule &ARGS_POST:SUBMIT "@eq 0" "nolog,skip:4"
  SecRule ARGS_POST:SUBMIT "!@streq Go!" "nolog,skip:3"
  SecRule &ARGS_POST:password "@eq 0" "nolog,skip:2"
  SecRule ARGS_POST:password "[ ]" \
    "t:urlDecodeUni,t:htmlEntityDecode,deny,log,auditlog, \ 
    msg:'WS SAX Injection',tag:'WEB_ATTACK/SAX_INJECTION', \ 
    severity:'3',redirect:/_error_pages_/lesson17-3.html"
  SecAction "allow:request,t:none,id:'170', \ 
    msg:'Returning from 17.3 SAX Injection (rulefile_17).'"

  SecAction "allow:request,t:none,msg:'Returning; nothing bad on this page (rulefile_17).'"
</LocationMatch>


Note that 'skipAfter' is used so the order of the rule groupings cannot be swapped.

For some reason, the project member had difficulty using 'chain' to chain rules together - in this lesson it simply was not working so the kludgey 'skip' actions were used instead; not elegant, but it works.

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_17.3_17.4&oldid=34650"