[Owasp-modsecurity-core-rule-set] [mod-security-users] CSRF Protection
Ryan Barnett
ryan.barnett at breach.com
Tue Mar 23 11:24:14 EDT 2010
On Tuesday 23 March 2010 11:16:03 Chris Datfung wrote:
> I'm trying to implement CSRF protection in an app based on Ryan's example
> from the WAF Patching Challenge Whitepaper. My app uses a dynamic session
> token name where only the first four characters (SESS) are static. An
> example cookie name is:
>
> SESSbe7bfb0d134fa57e567359f4e62cf41d
>
> The problem I have is how to implement this rule:
>
> SecRule &ARGS "@ge 1" "chain,phase:2,t:none,deny,log,msg:'CSRF Attack
> Detected - Invalid Token.'"
> SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies.jsessionid}"
>
> How do I compare MODSEC_CSRF_TOKEN to a cookie name where I only know the
> the first four characters. I tried:
>
> SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies./^SESS/}
>
> but that obviously didn't work. Any ideas how I can do this?
>
> Thanks
> Chris
How appropriate as I was getting ready to send out some announcements soon that we will be
migrating some of the commercial Enhanced Rule Set (ERS) items to the CRS and CSRF
protection rules are one of them :)
Once I add these rules to the CRS, I will send a note to the OWASP CRS mail-list with
usage info.
-Ryan
More information about the Owasp-modsecurity-core-rule-set
mailing list