headers
Stephen Craig Evans | 30 Jun 12:18

How to save value of a query string parameter then use it in Phase 4?

Hi,

This might be easy but it's not clear to me how to do this from
reading the reference manual (especially 'setvar' and MATCHED_VAR) and
going through all of the rules files that I have at my disposal.

In Phase 2, I want to save the value of a get query string parameter,
say "menu=700".

So the rule might start off as:
SecRule ARGS_GET:menu ...

and somehow I need to set a variable with the value 700.

Then in Phase 4 I want to access the value and invoke a rule if a
match, otherwise bypass the rule
SecRule  ???  "!@eq 700" "t:none,pass,skip:2"
SecRule RESPONSE_BODY "..."  "phase:4:..."

How can I do this?

Any help is appreciated.
Stephen

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
(Continue reading)

Permalink | Reply |
headers
christian.folini | 30 Jun 13:44

Re: How to save value of a query string parameterthen use it in Phase 4?

Hey Stephen,

Looks like you are busy working on your project...

I'd implement it as follows:

SecRule ARGS:menu "^(.*)$" "phase:2,pass,setvar:tx.menu=%{MATCHED_VAR}"
SecRule TX:MENU "!@eq 700" "phase:4,deny"

But maybe I did not get your question correctly.

regs,

Christian

-----Ursprüngliche Nachricht-----
Von: mod-security-users-bounces <at> lists.sourceforge.net
[mailto:mod-security-users-bounces <at> lists.sourceforge.net] Im Auftrag von Stephen Craig Evans
Gesendet: Montag, 30. Juni 2008 12:20
An: mod-security-users <at> lists.sourceforge.net
Betreff: [mod-security-users] How to save value of a query string parameterthen use it in Phase 4?

Hi,

This might be easy but it's not clear to me how to do this from reading the reference manual (especially
'setvar' and MATCHED_VAR) and going through all of the rules files that I have at my disposal.

In Phase 2, I want to save the value of a get query string parameter, say "menu=700".

So the rule might start off as:
(Continue reading)

Permalink | Reply |
headers
Ryan Barnett | 30 Jun 15:46

Re: How to save value of a query string parameterthen use it in Phase 4?

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Stephen
Craig
> Evans
> Sent: Monday, June 30, 2008 6:20 AM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] How to save value of a query string
> parameterthen use it in Phase 4?
> 
> Hi,
> 
> This might be easy but it's not clear to me how to do this from
> reading the reference manual (especially 'setvar' and MATCHED_VAR) and
> going through all of the rules files that I have at my disposal.
> 
> In Phase 2, I want to save the value of a get query string parameter,
> say "menu=700".
> 
> So the rule might start off as:
> SecRule ARGS_GET:menu ...
> 
> and somehow I need to set a variable with the value 700.
> 
> Then in Phase 4 I want to access the value and invoke a rule if a
> match, otherwise bypass the rule
> SecRule  ???  "!@eq 700" "t:none,pass,skip:2"
> SecRule RESPONSE_BODY "..."  "phase:4:..."
> 
[Ryan Barnett] There are a number of ways to approach these types of
(Continue reading)

Permalink | Reply |
headers
Stephen Craig Evans | 30 Jun 15:58

Re: How to save value of a query string parameterthen use it in Phase 4?

Hi,

Ryan, you are correct but in this case I have to set this value at the
beginning of phase 2, then I'll be accessing it throughout numerous
more *.conf files and in both Phases 2 & 4.

Christian, that worked. Fantastic. I set it in my init.conf file (that
has my global settings), then accessed it correctly in Phase 4 after
going through 3 other conf files.

I guess I should call it a night. I typed in "setvar:tx:menu" instead
of "setvar:tx.menu" and that cost me over an hour of debugging ;-(

Thanks guys,
Stephen

On Mon, Jun 30, 2008 at 9:46 PM, Ryan Barnett <Ryan.Barnett <at> breach.com> wrote:
>> -----Original Message-----
>> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
>> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Stephen
> Craig
>> Evans
>> Sent: Monday, June 30, 2008 6:20 AM
>> To: mod-security-users <at> lists.sourceforge.net
>> Subject: [mod-security-users] How to save value of a query string
>> parameterthen use it in Phase 4?
>>
>> Hi,
>>
>> This might be easy but it's not clear to me how to do this from
(Continue reading)

Permalink | Reply |
headers
Christian Folini | 30 Jun 21:31

Re: How to save value of a query string parameterthen use it in Phase 4?

On Mon, Jun 30, 2008 at 09:58:07PM +0800, Stephen Craig Evans wrote:
> Hi,
> 
> Ryan, you are correct but in this case I have to set this value at the
> beginning of phase 2, then I'll be accessing it throughout numerous
> more *.conf files and in both Phases 2 & 4.

In fact I had the same thing in mind as Ryan, but then I thought
you must have your reasons for reading and saving in phase two.

> I guess I should call it a night. I typed in "setvar:tx:menu" instead
> of "setvar:tx.menu" and that cost me over an hour of debugging ;-(

:) good to see, these kind of things do not happen to me alone.

Stephen, I think this mailinglist would profit, if you would
comment a bit on your project. How are you getting along?

cheers,

Christian

--

-- 
Communications without intelligence is noise;  
Intelligence without communications is irrelevant.
--- Gen Alfred. M. Gray, USMC

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
(Continue reading)

Permalink | Reply |
headers
Stephen Craig Evans | 1 Jul 04:08

Re: How to save value of a query string parameterthen use it in Phase 4?

Hi Christian,

> Stephen, I think this mailinglist would profit, if you would
> comment a bit on your project. How are you getting along?

I'm doing an OWASP Summer of Code project which is using ModSecurity
(2.5) to mitigate as many of the vulnerabilities as possible in
WebGoat (5.2).

Overloaded by my day job caused me to get a very late start, but I've
been working furiously on the project and aim to reach 50% by the end
of next week (Fri July 11). For those interested, check at that date
from here:
https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project
for project progress and details (there is nothing posted now).

To reach the 50% milestone, I'm aiming to mitigate 50% of the
vulnerabilities (which means preventing the WebGoat lessons from being
solved) that are the low-hanging fruit. Both ModSecurity & WebGoat
were new to me, so it's taken awhile to get up to speed on those,
learn a cool ruleset-making tool called Remo (!), and install all of
that and install/configure other bits such as Apache and Tomcat (on
Kubuntu 7.10).

For the 2nd half:
- deploy ModSecurity as a reverse proxy (now I'm using it in embedded mode)
- mitigate as many as the rest of the vulnerabilities as possible; I'm
looking forward to the juicy stuff like business logic flaws and
hopefully some LUA programming
(Continue reading)

Permalink | Reply |

Gmane