1
# ---------------------------------------------------------------
2
# Core ModSecurity Rule Set ver.2.0.5
3
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
5
# The ModSecurity Core Rule Set is distributed under GPL version 2
6
# Please see the enclosed LICENCE file for full details.
7
# ---------------------------------------------------------------
11
# The rules in this file are considered experimental/beta rules. They attempt to address
12
# some advanced attacks, use some new ModSecurity features or new rules language techniques.
16
# HTTP Parameter Pollution (HPP)
18
# One HPP attack vector is to try evade signature filters by distributing the attack payload
19
# across multiple parameters with the same name. This works as many security devices only
20
# apply signatures to individual parameter payloads, however the back-end web application
21
# may (in the case of ASP.NET) consolidate all of the payloads into one thus making the
22
# attack payload active.
25
# The ruleset below is not looking for attacks directly, but rather is a crude normalization
26
# function that mimics ASP.NET with regards to joining the payloads of parameters with the
27
# same name. These rules will create a new TX:HPP_DATA variable that will hold this data.
28
# If you have enabled PARANOID_MODE, then this variable data will also be searched against
32
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
35
SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'960022',rev:'2.0.5',setvar:tx.%{matched_var_name}=+1"
36
SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none"
37
SecRule MATCHED_VAR_NAME "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}"
38
SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'"
39
SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}"
40
SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'"