Ryan Barnett | 5 Feb 13:58 2009

Re: Question reguarding Disruptive Actions: "Proxy"

From: derek wang [mailto:derekwang77 <at> gmail.com]
Sent: Thursday, February 05, 2009 12:13 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] Question reguarding Disruptive Actions: "Proxy"

 

Dear All,

 

I am a beginner for Mod-Security and have a question regarding the usage of Proxy disruptive action.

 

My senario is to setup 2 mirrored web site: SiteA production and SiteB Honeypot server.

 

My expectation is that any evil http request will go to the ACCORDING URL on Henypot server while legal request reaches to the production server. Does Mod-Security+Mod-proxy support this?

 

I tried the followng (let's take SQL injection as an example):

 

SiteA: localhost:80

SiteB: localhost:8888 (honeypot)

 

1. On SiteA, I configured Mod-Security and add "proxy:http://localhost:8888" on SQL injection SecRule

 

2. Access: http://localhost/1/test.jsp?id=1&union select ... 

 

I expact that mod-security would act as a reverse proxy. and it should access the same page with http://localhost:8888/1/test.jsp?id=1&union ..... (while the URL still show http://localhost/1/test.jsp?id=1&union select ... )

 

However my test result shows that I got the home page of http://localhost:8888 (while the URL is still http://localhost/1/test.jsp?id=1&union select ... )

 

Did I miss anything or it is a by designed behavior for proxy disruptive action?

 

[Ryan Barnett] I ran some tests and encountered the same thing that you did – that the requested filename data is missing from the proxied request.  Fortunately, this can be fixed by using macro expansion in the proxy action like this – proxy:http://192.168.1.104:8888%{request_filename}.  I just tested the following basic rule –

 

SecRule ARGS "select" "phase:2,t:lowercase,log,proxy:http://192.168.1.104:8888%{request_filename}”

 

I then had a netcat listener at 192.168.1.104 on port 8888.  I then sent a WebGoat POST request which contained an SQL Injection string and it was properly proxied to the netcat listener –

 

$ nc -l -p 8888

POST /WebGoat/attack?Screen=801&menu=1600 HTTP/1.1

Host: 192.168.1.104:8888

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Referer: http://www.webgoat.net/WebGoat/attack?Screen=801&menu=1600

Cookie: JSESSIONID=D798FE268D317B360020B9D797EFF2A1

Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=

Content-Type: application/x-www-form-urlencoded

Max-Forwards: 10

X-Forwarded-For: 192.168.1.104

X-Forwarded-Host: www.webgoat.net

X-Forwarded-Server: www.example.com

Connection: Keep-Alive

Content-Length: 148

 

QTY=UNION+SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES--+&SUBMIT=Purchase&Price=2999.99

 

 

Thanks a lot and have a nice day!

 

Regards,

Derek

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

Gmane