How to build a download token rule using a keyed hash ?

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

XMLRPC Payload Rule

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Posting HTML contents

Hi all,
today I've upgraded modsecurity to 2.5.10-r1 and more than half of my web 
applications are giving me headache.

The more troublesome issue is (at least for now) that I cannot understand how 
I can send HTML contents with a form...

For example... I have a form with an wysiwyg editor (FCKeditor, TinyMce etc) 
how can I allow him to send his data? Every try is blocked by modsecurity:

[msg "Detects obfuscated script tags and XML wrapped HTML"]
[msg "Detects basic directory traversal"]
[msg "finds attribute breaking injections including obfuscated attributes"]
[msg "finds html breaking injections including whitespace attacks"]
[msg "Detects possibly malicious html elements including some attributes"]

I really need help on this thing, please.

Fabian

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: Posting HTML contents

Fabian,
This is a CRS issue so for future issues please use the OWASP CRS mail-list
(https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set).  I am
cross-posting this to both lists.

You bring up an important and challenging issue related to detecting XSS attacks and that is how to identify
malicious payloads while still allowing benign html conent.  Here are a few items to consider -

1) For the CRS v2 - you can add some exception rules to the 48 local exceptions file so that you can adjust the
anomaly score based on the authorized page/parameter you have for the FCKeditor app, etc...).  If you send
some audit log data related to these html posts, I could show you a more specific exception example.

2) What language is your app written in?  If it is php - then you could look at installing something like
htmlpurifier to help weed out bad html from good html - http://htmlpurifier.org/

3) On a similar front - look at something like the OWASP Anti-Sammy app.

Hope this helps,
Ryan

________________________________________
From: Fabian Martintoni [assistenza <at> alfait.org]
Sent: Tuesday, November 03, 2009 8:29 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Posting HTML contents

Hi all,
today I've upgraded modsecurity to 2.5.10-r1 and more than half of my web
applications are giving me headache.

The more troublesome issue is (at least for now) that I cannot understand how
I can send HTML contents with a form...

For example... I have a form with an wysiwyg editor (FCKeditor, TinyMce etc)
how can I allow him to send his data? Every try is blocked by modsecurity:

[msg "Detects obfuscated script tags and XML wrapped HTML"]
[msg "Detects basic directory traversal"]
[msg "finds attribute breaking injections including obfuscated attributes"]
[msg "finds html breaking injections including whitespace attacks"]
[msg "Detects possibly malicious html elements including some attributes"]

I really need help on this thing, please.

Fabian

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: How to build a download token rule using a keyed hash ?

John Wigley wrote:
> Hi all,
>
> I've unsuccessfully been trying to create an example rule(s) that checks
> http requests for the presence of an authentication token, and blocks
> requests which do not contain a valid token.
>
> For example:
>
> http://downloadserver.tld/protected1.doc?token=nnnnnnnnnnn:xxxxxxxxxx
>
> Where nnnnnnnnnnn is the desired unix epoch timestamp that the token
> expires, and
> xxxxxxxxxx is a HEX encoded keyed hash constructed for example as
> SHA1("secret value" + "full file URL" + expiry time unix timestamp)
> The rule would then have to verify two just things:
>
> 1) That the current unix epoch time <= nnnnnnnnnnn
> &
> 2) That xxxxxxxxxx = SHA1("secret value" + "full file URL" + nnnnnnnnnnn)
> I would be extremely grateful if someone could point me in the right
> direction with even a partial example of how to accomplish the hash
> comparison as a ModSecurity rule.
> The exact format of the token is NOT important and it could be
> redesigned to whatever makes it easiest to verify with a ModSecurity
> rule. So for example the nnnnnnnnnn and xxxxxxxxx could be split up as
> ?tokenexpiry=nnnnnnnnn&tokenmac=xxxxxxxxx if that made it easier to
> verify. Similarly the hash construction could also be changed if needed.
> As far as I can see this should be fairly straight forward to achieve in
> ModSecurity because it has the built in Transformation functions for
> hashes SHA1 and MD5, a hexEncode as well as the |TIME_EPOCH|. variable
> holding the current timestamp.
> I realise that this could be done in a LUA script also but I am trying
> to avoid that for performance and simplicity reasons. I would have
> thought that a token based download rule would've been discussed before
> (and would be a fairly useful and common requirement) but a long Google
> search and of the list archives hasn't turned up anything.
> I will happily write up the solution for a FAQ entry when/if achieved.
> Thanks in advance for any assistance,
> John

Something like this (untested, but hopefully gives you a starting point 
with the logic):

# Deny if this URL should have a token or has too many
SecRule &ARGS_GET:token "!@eq 1" "chain,phase:1,deny,t:none"
SecRule REQUEST_URI "^/+protected" "t:none,t:lowercase"

# Grab the token exp and value
SecRule ARGS_GET:token "^(\d+):(.+)$" \
   "phase:1,capture,pass,nolog,t:none,\
    setvar:tx.tokexp=%{tx.1},setvar:tx.tokval=%{tx.1}"

# Deny if exipred
SecRule TX:tokexp "@le %{TIME_EPOCH}" \
   "phase:1,deny,t:none"

# Generate the token data to hash
SecAction \
   "phase:1,pass,nolog,\
    setvar:tx.tokdata=TheSecret%{REQUEST_URI}%{tx.tokexp}"

# Deny if not a valid hash
SecRule TX:tokdata "!@streq %{tx.tokval}" \
   "phase:1,denyt:none,t:sha1,t:hexEncode"

-B

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: XMLRPC Payload Rule

Rob Greenwood wrote:
> Hi,
>
> I want to block all XML-RPC calls to a specific URL, unless a specific
> function is called.
>
> So far, I have..;
>
> SecRule REQUEST_URI "^/RPC" phase:2, chain
>
> Now I need to do a rule that inspects the payload of the XML RPC call,
> and block everything unless a specific function is used.
>
> The payload getting posted through is as follows..;
>
> "POST /RPC2 HTTP/1.1\r\nAccept: */*\r\nConnection:
> keep-alive\r\nUser-Agent: XMLRPC::Client (Ruby 1.8.7)\r\nContent-Type:
> text/xml; charset=utf-8\r\nContent-Length: 225\r\nHost: 192.168.1.1\r\n\r\n"
>
> "<?xml version=\"1.0\"
> ?><methodCall><methodName>session.login_with_password</methodName><params><param><value><string></string></value></param><param><value><string></string></value></param></params></methodCall>\n
>
> The thing I want to restrict is the methodName namespace, so I'd like to
> be able to say that if it doesn't equal a paticular thing, then to block
> the request. For the time being, lets say I only want to allow
> session.login_with_password
>
> Is this possible, if so how?
>
> Thanks in advance!

You should enable the XML processor (ctl:requestBodyProcessor) for this 
URI and/or Content-Type.

http://modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N116EB

Then, you can use xpath to check the method name.  Be sure to also check 
XML processing errors.

http://modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N113C9

OR

You could also force the population of REQUEST_BODY 
(ctl:forceRequestBodyVariable) and then use a regex for the method name.

-B

--

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Fwd: [WEB SECURITY] method to bypass mod_security

FYI...

---------- Forwarded message ----------
From: Dmitry Evteev <devteev <at> ptsecurity.com>
Date: Tue, Nov 3, 2009 at 10:46 AM
Subject: [WEB SECURITY] method  to bypass mod_security
To: websecurity <at> webappsec.org

A new method  to bypass mod_security and conduct SQL Injection was
discovered. You can view the materials at:

http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html

- - - - - - - - - - - - - - -
Best Regards, Dmitry Evteev
Positive Technologies Co.
Tel.: (495) 744-0144
Web: http://www.ptsecurity.ru

-- 
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Fwd: [WEB SECURITY] method to bypass mod_security

Ah, it seems that the rules from 2.5.10 catch this issue.

---------- Forwarded message ----------
From: Ryan Barnett <rcbarnett <at> gmail.com>
Date: Tue, Nov 3, 2009 at 5:15 PM
Subject: Re: [WEB SECURITY] method to bypass mod_security
To: Dmitry Evteev <devteev <at> ptsecurity.com>
Cc: websecurity <at> webappsec.org

On Tue, Nov 3, 2009 at 5:46 AM, Dmitry Evteev <devteev <at> ptsecurity.com> wrote:
>
> A new method  to bypass mod_security and conduct SQL Injection was discovered. You can view the
materials at:
>
> http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html
>
>

In your example tests, you are using an older version of ModSecurity
(2.5.9) which also uses an older version of the Core Rule Set (CRS).
I suggest you test this with the new v2 CRS rules -
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

In these newer rules - we have implemented some comment evasion
detection rules that stand on their own rather than only being used in
rule data transformations.  I just tested the example attack payloads
you listed on your site and they are all detected.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/

--

-- 
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Re: Fwd: [WEB SECURITY] method to bypass mod_security

Right.

Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett <at> Breach.com 
www.Breach.com 


----- Original Message -----
From: Ivan Ristic <ivan.ristic <at> gmail.com>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Tue Nov 03 14:29:20 2009
Subject: [mod-security-users] Fwd: [WEB SECURITY] method to bypass	mod_security

Ah, it seems that the rules from 2.5.10 catch this issue.


---------- Forwarded message ----------
From: Ryan Barnett <rcbarnett <at> gmail.com>
Date: Tue, Nov 3, 2009 at 5:15 PM
Subject: Re: [WEB SECURITY] method to bypass mod_security
To: Dmitry Evteev <devteev <at> ptsecurity.com>
Cc: websecurity <at> webappsec.org


On Tue, Nov 3, 2009 at 5:46 AM, Dmitry Evteev <devteev <at> ptsecurity.com> wrote:
>
> A new method  to bypass mod_security and conduct SQL Injection was discovered. You can view the
materials at:
>
> http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html

>
>

In your example tests, you are using an older version of ModSecurity
(2.5.9) which also uses an older version of the Core Rule Set (CRS).
I suggest you test this with the new v2 CRS rules -
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project


In these newer rules - we have implemented some comment evasion
detection rules that stand on their own rather than only being used in
rule data transformations.  I just tested the example attack payloads
you listed on your site and they are all detected.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/




-- 
Ivan Ristic
Security assessment of your SSL servers
https://www.ssllabs.com/ssldb/


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

[Fwd: Re: XMLRPC Payload Rule]

I don't have a good example other than those in the docs.  Those seem 
pretty straight forward.  Maybe send us what you have tried and someone 
can comment on what you may be missing?

-B

-- 
Brian Rectanus
Breach Security

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html