This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP ModSecurity Securing WebGoat Section4 Sublesson 03.4"

From OWASP
Jump to: navigation, search
(add content to new page)
 
Line 1: Line 1:
1. General -> 1.2  HTTP Splitting
+
3. AJAX Security -> 3.4 DOM Injection
  
 
=== Lesson overview ===
 
=== Lesson overview ===

Revision as of 05:10, 20 October 2008

3. AJAX Security -> 3.4 DOM Injection

Lesson overview

Refer to the zip file with the WebGoat lesson overviews. See Appendix A for more information.

Lesson solution

Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy

This WebGoat lesson modifies an AJAX response with Javascript that enables the 'Activate!' button for a license key by replacing the response body (about 28k bytes) with: document.forms[0].SUBMIT.disabled = false;

Implementation

When the button is disabled, it comes from the server as: 

<input disabled value='Activate!' name='SUBMIT' type='SUBMIT'>

The ModSecurity solution will be to set a variable in 'lesson03-4.data' called 'isdisabled' to "yes" if the 'Activate!' button is disabled; "no" otherwise. For the subsequent request, if the 'Activate!' button is submitted such as: 

POST http://192.168.0.5/WebGoat/attack?Screen=131&menu=400
key=aaaa&SUBMIT=Activate%21

Then we check against the persisted variable to see if it is enabled or disabled, then block the request if the button was originally disabled.

'lesson03-4.data' will have the simple format of: 

Entry{
  isdisabled = "yes"
}

First, we start with the response body because if the 'Activate!' button is sent in a request, for sure it had to be sent with its state in the previous response body.

The phase 4 response portion of the configuration file is: 

  SecRule TX:MENU "!@eq 400" "phase:4,t:none,pass,skip:1"

  SecRuleScript "/etc/modsecurity/data/activate-response_03-4.lua" \
"phase:4,t:none,log,auditlog,allow,msg:'Luascript: AJAX Security -> \ 
3.4 DOM Injection: in RESPONSE; checking if Activate button is disabled'"

Refer to the Lua script 'activate-response_03-4.lua'. The steps are:

  • put the response body into a buffer
  • search and get the state of the Activate button
  • write the state to the data file

The phase 2 request portion of the configuration file is: 

  SecRule ARGS:menu "!@eq 400" "phase:2,t:none,skip:4"
  SecRule &ARGS_POST:SUBMIT "@eq 0" "nolog,skip:3"
  SecRule &ARGS_POST:key "@eq 0" "nolog,skip:2"

  # action is triggered if script returns non-nil value
  SecRuleScript "/etc/modsecurity/data/activate-request_03-4.lua" \
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'Luascript: \ 
AJAX Security -> 3.4 DOM Injection: request is pending', \
tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson03-4.html"
  SecAction "phase:2,allow:request,t:none,log,auditlog,msg:'Luascript: \ 
AJAX Security -> 3.4 DOM Injection: acceptable state for Activate button'"

Refer to the Lua script 'activate-request_03-4.lua'. The steps are:

  • get the button state from the data file
  • if it is enabled, return OK (nil) to ModSecurity; if it is disabled, return an error (non-nil)

Comments

  • AJAX for this lesson only worked using Opera 9.26
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_03.4&oldid=43876"