← Back to branch summary

~ubuntu-branches/ubuntu/quantal/modsecurity-apache/quantal

« back to all changes in this revision

Viewing changes to rules/optional_rules/modsecurity_crs_55_application_defects.conf

  • Committer: Bazaar Package Importer
  • Author(s): Alberto Gonzalez Iniesta
  • Date: 2011-03-23 18:36:29 UTC
  • Revision ID: james.westby@ubuntu.com-20110323183629-8rwn0362sqqqqbgl
Tags: upstream-2.5.13
ImportĀ upstreamĀ versionĀ 2.5.13

Show diffs side-by-side

added added

removed removed

Lines of Context:
rules/optional_rules/modsecurity_crs_55_application_defects.conf
 
1
# ---------------------------------------------------------------
 
2
# Core ModSecurity Rule Set ver.2.0.10
 
3
# Copyright (C) 2006-2010 Trustwave All rights reserved.
 
4
#
 
5
# The ModSecurity Core Rule Set is distributed under GPL version 2
 
6
# Please see the enclosed LICENCE file for full details.
 
7
# ---------------------------------------------------------------
 
8
 
 
9
 
 
10
#
 
11
# XSS Detection - Missing Output Encoding
 
12
#
 
13
SecAction "phase:1,nolog,pass,initcol:global=xss_list"
 
14
 
 
15
#
 
16
# Identifies Reflected XSS
 
17
# If malicious input (with Meta-Characters) is echoed back in the reply non-encoded.
 
18
#
 
19
SecRule &ARGS "@gt 0" "chain,phase:4,t:none,log,auditlog,deny,status:403,id:'1',msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'"
 
20
        SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none"
 
21
                SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}"
 
22
                        SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E"
 
23
 
 
24
#
 
25
# Check to see if TX XSS Data is already in the GLOBAL list.  If it is - expire it.
 
26
SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,t:none,nolog,pass,skip:1"
 
27
SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}"
 
28
 
 
29
#
 
30
# Identifies Stored XSS
 
31
# If malicious input (with Meta-Characters) is echoed back on any page non-encoded.
 
32
SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'"
 
33
 
 
34
#
 
35
# Identifies SessiondIDs without HTTPOnly flag
 
36
#
 
37
 
 
38
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,nolog,setvar:tx.sessionid=%{matched_var}"
 
39
 
 
40
SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"
 
41
 
 
42
SecRule SERVER_PORT "@streq 443" "chain,phase:3,t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag.'"
 
43
 SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_cookie=%{matched_var}"
 
44
 
 
45
SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "chain,phase:3,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly and Secure Cookie Flag.'"
 
46
 SecRule SERVER_PORT "@streq 443" "chain,t:none"
 
47
  SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_httponly_cookie=%{matched_var}"
 
48
 
 
49
Header set Set-Cookie "%{httponly_cookie}e; HTTPOnly" env=httponly_cookie
 
50
Header set Set-Cookie "%{secure_cookie}e; Secure" env=secure_cookie
 
51
Header set Set-Cookie "%{secure_httponly_cookie}e; Secure; HTTPOnly" env=secure_httponly_cookie