[Owasp-modsecurity-core-rule-set] [mod-security-users] CSRF Protection
Junyong Jiang
dreamice.jiang at gmail.com
Tue Mar 23 11:36:04 EDT 2010
Good news. Can you share some information in advance:)
2010/3/23 Ryan Barnett <ryan.barnett at breach.com>
> On Tuesday 23 March 2010 11:16:03 Chris Datfung wrote:
> > I'm trying to implement CSRF protection in an app based on Ryan's example
> > from the WAF Patching Challenge Whitepaper. My app uses a dynamic session
> > token name where only the first four characters (SESS) are static. An
> > example cookie name is:
> >
> > SESSbe7bfb0d134fa57e567359f4e62cf41d
> >
> > The problem I have is how to implement this rule:
> >
> > SecRule &ARGS "@ge 1" "chain,phase:2,t:none,deny,log,msg:'CSRF Attack
> > Detected - Invalid Token.'"
> > SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies.jsessionid}"
> >
> > How do I compare MODSEC_CSRF_TOKEN to a cookie name where I only know the
> > the first four characters. I tried:
> >
> > SecRule ARGS:MODSEC_CSRF_TOKEN "!@streq %{request_cookies./^SESS/}
> >
> > but that obviously didn't work. Any ideas how I can do this?
> >
> > Thanks
> > Chris
>
> How appropriate as I was getting ready to send out some announcements soon
> that we will be
> migrating some of the commercial Enhanced Rule Set (ERS) items to the CRS
> and CSRF
> protection rules are one of them :)
>
> Once I add these rules to the CRS, I will send a note to the OWASP CRS
> mail-list with
> usage info.
>
> -Ryan
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100323/2520d4ea/attachment.html
More information about the Owasp-modsecurity-core-rule-set
mailing list