This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSecurity Securing WebGoat Section4 Sublesson 10.1

From OWASP
Revision as of 15:41, 24 July 2008 by Stephen Evans (talk | contribs) (add content)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

10. Improper Error Handling

10.1 Fail Open Authentication Scheme

Lesson overview

See [relative path].

Lesson solution

See [relative path].

Strategy

This lessons demonstrates a fail open vulnerability in that when the 'Password' parameter in the POST body is removed entirely, the user is authenticated. To mitigate this, a straightforward pinpoint strategy was used.

Implementation

The lesson is mitigated by the ruleset 'rulefile_10_improper-error-handling.conf': 

  SecRule ARGS:menu "!@eq 1100" "t:none,pass,skip:2"
  SecRule &ARGS:Password "@eq 0" "t:none,deny,severity:3, \ 
    msg:'Post parameter Password is mandatory, but it is not present in request.', \ 
    tag:'AUTHENTICATION',redirect:/_error_pages_/lesson10-1.html"
  SecAction "allow:request,t:none, \ 
    msg:'Returning; nothing bad on this page (rulefile_10-1).'"


Note that it is perfectly acceptable - and probably preferable - to use '&ARGS_POST:Password' instead of '&ARGS:Password'.

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_10.1&oldid=34637"