[Owasp-modsecurity-core-rule-set] Error in optional_rules/modsecurity_crs_43_csrf_protection.conf

Ryan Barnett RBarnett at trustwave.com
Tue Nov 30 14:17:39 EST 2010

On 11/30/10 2:05 PM, "Jeronimo Zucco" <jczucco at gmail.com> wrote:

> I am upgrading my servers to the ModSecurity 2.5.13 and core
> ruleset/2.0.10 and got this error in my config:
>  ModSecurity: Could not set variable "session.sessionid" as the
> collection does not exist.

This error is generated when a rule is using setvar:session.... However the
SESSION collection has not yet been initialized with the setsid action.

> In the default optional_rules/modsecurity_crs_43_csrf_protection.conf has:

Is this happening all the time or only when you initially started ModSec
with the new CRS 43 csrf rules?

> SecRule 
> REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|c
> f(id|token)|sid)/'
> ".*" "chain,phase:1,t:none,pass,nolog,auditlog,msg:'Invalid SessionID
> Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var},skipAfter
>        SecRule SESSION:VALID "!@eq 1" "t:none"
> SecAction 
> "phase:1,t:none,nolog,pass,setuid:%{session.username},setvar:session.sessionid
> =%{tx.sessionid}"

This initial section is checking to see if the client is submitting a
SESSIONID cookie value.  If they are, then it is using setsid to initialize
the collection with the session id being submitted by the client as the key.
The 2nd part of the chained rule is then looking to see if the SESSION
collection has a variable set called VALID, which is previously set by
ModSecurity (in the rules below) when the application is initially handing
out the SESSIONID in a Set-Cookie response header.  If the VALID variable is
not present, then the client has submitted a bogus SESSIONID value.

If the SESSIONID submitted is VALID, then it proceeds as normal.

> SecRule RESPONSE_HEADERS:/Set-Cookie2?/
> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|s
> id)=([^\s]+)\;\s?)"
> "chain,phase:3,t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.session
> id=%{TX.6},setvar:session.valid=1"
>        SecRule SESSION:SESSIONID "(.*)"
> "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"

This ruleset is inspecting the response headers looking for Set-Cookie
headers that are sending common SessionID names.  If this is found, then a
SESSION collection is initialized with the SessionID as the key and a
variable called VALID is created.  We know this SESSIONID is valid since the
application is handing it out.

Do you have an audit_log example of this transaction?  You can then look to
see if the transaction has a SessionID in it or not.


More information about the Owasp-modsecurity-core-rule-set mailing list