[Owasp-modsecurity-core-rule-set] patch for 2.2.5 CRS modsecurity_crs_16_session_hijacking.conf

Ryan Barnett ryan.barnett at owasp.org
Sun Nov 11 21:59:01 UTC 2012


Ben,
Please follow the steps here to submit a GitHub Pull request for updates -

http://www.modsecurity.org/developers/#GitHub

--
Ryan Barnett
Lead Security Researcher
Trustwave - SpiderLabs


On Nov 11, 2012, at 4:15 PM, Ben WIlliams <benwilliams+owasp at joobworld.com> wrote:

> Here are a couple of fixes I've made to the session hijacking CRS
> 2.2.5 rules in use with modsecurity 2.6.8.
> Some of our cookie names have been changed, so ASPSESSIONIDXXX did not
> match in RESPONSE_HEADERS:/Set-Cookie2?/ but did match in
> REQUEST_COOKIES.
> 
> Also there is a bug related to comparisons on collection keys that do
> not exist. When a request contains a cookie that has not been saved to
> the SESSION collection before, the intention is for tx.anomaly_score
> to be incremented by 5 (critical) and the rest of the checks skipped,
> but this does not happen. Any test on a collection key that does not
> exist always returns false. This means the test on SESSION:VALID "!@eq
> 1" returns false, when the intention is for it to return true if the
> session cookie has not been seen before.  And the following rules in
> the block are run which triggers 981059,981060,981061 to return true
> since it is a new session collection withou ip_hash or ua_hash keys.
> 
> --
> Ben
> <modsecurity_crs_16_session_hijacking.conf.patch>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


More information about the Owasp-modsecurity-core-rule-set mailing list