[Owasp-modsecurity-core-rule-set] Working new AppDefect Rule - Charset Checks

Ryan Barnett RBarnett at trustwave.com
Thu Apr 21 09:26:31 EDT 2011

I am working on some new Application Defect rules for the CRS based on the Watcher application - http://websecuritytool.codeplex.com/wikipage?title=Checks<http://websecuritytool.codeplex.com/wikipage?title=Checks#charset>

The one I am currently working is the Charset Check - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset

There are two current checks listed by Watcher, however the first check that I am testing is to raise an alert if a web app/resource does not include a charset declaration at all for text/html data in either the Content-Type Response Header or in a meta http-equiv html code block in the response body.  I have some rules that are working -

SecRule &RESOURCE:CHARSET_CHECK "@eq 0" "chain,phase:4,t:none,pass,log,msg:'Character Set (Charset) Not Specified for Response Content.',logdata:'%{response_content_type}',setvar:resource.charset_check=1,expirevar:resource.charset_check=86400"
        SecRule &RESOURCE:MISSING_CHARSET "@eq 0" "chain"
                SecRule RESPONSE_HEADERS:Content-Length "!^0$" "chain"
                        SecRule RESPONSE_BODY "!@contains <meta http-equiv=\"content-type\" content=\"text/html; charset=" "chain"
                                SecRule RESPONSE_CONTENT_TYPE "(?i:^text/html;?$)" "setvar:resource.missing_charset=1,expirevar:resource.missing_charset=86400"

I was running some tests by configuring my apache install to be an open proxy and then having my browser use it as a proxy while browsing public sites such as google, facebook, amazon, and cnn.  What I am trying to figure out if this should be tracked per/site or per/resource.  As you can see with the example rules, we only want periodic alerting of defects (vs. alerting each time when we see attacks).  The idea for appdefect detection is to alert the admin to a config issue but not to flood them with alerts.  With the example rules above, we are storing RESOURCE variables to do alert suppression so it will only alert on the issue 1/day.  The alert suppression/periodic alerting works fine, however I am not sure for this issue if it is better to track this per/resource or per/site.  Per resource seems more accurate, however there may be many more alerts generated.  What I was seeing while browsing to these sites is that oftentimes there are subdomains that don't set charset at all.  So, you would essentially have a flood of alerts for that subdomain.  On the flip side (false negative), if we only tracked this in a GLOBAL site collection, if one resource correctly declares charset, then there might be other resources that don't and we would not alert on it….

So, I wanted to get some feedback from the community on which persistent collection you think we should track this appdefect issue in – GLOBAL or RESOURCE?

Comments welcome,

More information about the Owasp-modsecurity-core-rule-set mailing list