This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSecurity Securing WebGoat Section4 Sublesson 15.1 15.2

From OWASP
Revision as of 17:05, 24 July 2008 by Stephen Evans (talk | contribs) (add content)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

15. Parameter Tampering

15.1 Exploit Hidden Fields

15.2 Exploit Unchecked Email

Lesson overviews

See [relative paths].

Lesson solutions

See [relative paths].

Strategy

To mitigate Lesson 15.1, the attacker cannot be allowed to alter the hidden field 'Price'.

Lesson 15.2 has 2 parts:

Stage 1 is mitigated by preventing an XSS attack, so one line is added to the rule file 'rulefile_08_xss.conf' to take care of this. 

  SecRule ARGS:menu "!@eq 1600" "chain,t:none,..."


Stage 2 has the same issue of altering a hidden field, in this case the email address in: 

<input name='to' type='HIDDEN' value='[email protected]'>

Mitigating the hidden field value issues uses the same strategy that is used to solve '4.4 Multi Level Login 1' and '4.5 Multi Level Login 2'. In both cases, a check is implemented to see whether the hidden fields have been altered.

Implementation

The lesson is mitigated by the ruleset 'rulefile_15_parameter-tampering.conf': 

  SecRule ARGS:menu "!@eq 1600" "phase:2,t:none,skip:2"

  # action is triggered if script returns non-nil value
  SecRuleScript "/etc/modsecurity/data/read-hidden-values_15.lua" \ 
    "phase:2,t:none,log,auditlog,deny,severity:3, \ 
      msg:'Parameter Tampering; Hidden field',tag:'PARAMETER_TAMPERING', \ 
      redirect:/_error_pages_/lesson15-1.html"
  SecAction "phase:2,allow:request,t:none,log,auditlog, \ 
    msg:'Luascript: hidden field not altered or does not exist'"

################################################################

  SecRule TX:MENU "!@eq 1600" "phase:4,t:none,pass,skip:1"

  # parse response body and write hidden values to file
  SecRuleScript "/etc/modsecurity/data/write-hidden-values1.lua" \ 
    "phase:4,t:none,log,auditlog,allow, \ 
      msg:'Writing RESPONSE BODY & parsed input fields to file using luascript'"

The Lua script used here in Phase 4 that writes the HTML input values to file is the exact same file as the one used in Lessons 4.4 and 4.5. The output is: 

Entry{
  name = "gId",
  type = "TEXT",
  value = "GMail id"
}

Entry{
  name = "gPass",
  type = "PASSWORD",
  value = "password"
}

Entry{
  name = "subject",
  type = "TEXT",
  value = "Comment for WebGoat"
}

Entry{
  name = "to",
  type = "HIDDEN",
  value = "[email protected]"
}

Entry{
  name = "SUBMIT",
  type = "SUBMIT",
  value = "Send!"


Note that the Lua script could be modified with one line of code to write only hidden input fields, but we do not in order to illustrate writing all input types to a persistent data store.

The 'read-hidden-values_15.lua' file only has to be modified ever so slightly.

First, modify the debug messages such as: 

  m.log(9, "entering Luascript read-hidden-values_15.lua")


Keep in mind that it is a good practice to include a word like 'luascript' in every debug message in order to be able to more easily search a debug file when necessary.

Next, to get the values from the POST request body: 

  local dprice = m.getvar("ARGS_POST.Price", "none")
  local to1 = m.getvar("ARGS_POST.to", "none")


Then, filter by the field names: 

   if dprice ~= nil and type:lower() == "hidden" and name == "Price" then ...

and: 

   if to1 ~= nil and type:lower() == "hidden" and name == "to" then ...
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_15.1_15.2&oldid=34648"