Tuesday, March 12, 2013

ModSecurity Whistelisting

From the owasp.org/index.php/Virtual_Patching_Cheat_Sheet example.


How I'd do it :

SecRule SCRIPT_BASENAME "^exportsubscribers\.php$" "allow,chain"
SecRule &ARGS ^1$ chain
SecRule ARGS_GET:reqID "^\d{1,10}$"

SecRule SCRIPT_BASENAME "^exportsubscribers\.php$" "log,deny,auditlog,status:400,msg:'Whitelist entry not found for %{SCRIPT_BASENAME}'"


Will gives :

[Tue Mar 12 13:49:15 2013] [error] [client 192.168.1.2] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^exportsubscribers\\.php$" at SCRIPT_BASENAME. [file "/etc/apache2/conf.d/modsec.conf"] [line "19"] [msg "Whitelist entry not found for exportsubscribers.php"] [hostname "waftest.hackme"] [uri "/exportsubscribers.php"] [unique_id "UT9qm38AAQEAAAYCDcYAAAAB"]



I'm open to any bypass comments ;-)

No comments:

Post a Comment