This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.4

From OWASP
Revision as of 11:54, 24 July 2008 by Stephen Evans (talk | contribs) (New page: 2. Access Control Flaws 2.4 Remote Admin Access === Lesson overview === See [relative path]. === Lesson solution === See [relative path]. === Strategy === The solution is to pre...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

2. Access Control Flaws

2.4 Remote Admin Access

Lesson overview

See [relative path].

Lesson solution

See [relative path].

Strategy

The solution is to prevent 'admin=true' from appearing in the query string.

Implementation

The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf'. 

  # Lesson 2.4: Remote Admin Access; don't allow 'admin=true' in the querystring
  SecRule &ARGS:admin "!@eq 0" "chain,log,auditlog,deny,\
    msg:'Admin Function Attack',tag:'ADMIN_FUNCTION', \
    redirect:/_error_pages_/lesson02-4.html"
  SecRule ARGS:admin "true" "t:lowercase"
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_02.4&oldid=34598"