Detecting Request that uses invalid Encoding using Modsecurity

Posted by Ali Ahmad on Server Fault See other posts from Server Fault or by Ali Ahmad
Published on 2013-06-26T09:12:36Z Indexed on 2013/06/26 10:22 UTC
Read the original article Hit count: 397

Filed under:

mod-security

|

web-applications

|

web-application-firewall

I am trying write a virtual patch using modsecurity for my hosted web application using following rule i.e.

<Location /index.php>
SecDefaultAction phase:2,t:none,log,deny
# Validate parameter names
SecRule ARGS_NAMES "!^(articleid)$" \
"msg:'Unknown parameter: %{MATCHED_VAR_NAME}'"
# Expecting articleid only once
SecRule &ARGS:articleid "!@eq 1" \
"msg:'Parameter articleid seen more than once'"
# Validate parameter articleid
SecRule ARGS:articleid "!^[0-9]{1,10}$" \
"msg:'Invalid parameter articleid'"
</Location>

The problem is how can i reject requests that use invalid encoding as a global WAF configuration so that this patch cannot be circumvented.

© Server Fault or respective owner

Related posts about mod-security

ModSecurity compile error on nginx

as seen on Server Fault - Search for 'Server Fault'
I'm trying to install ModSecurity on nginx with the following instructions : wget https://github.com/SpiderLabs/ModSecurity/archive/master.zip unzip master cd ModSecurity-master ./autogen.sh ./configure --enable-standalone-module And i got the following error : Checking plataform... Identified… >>> More
modsecurity apache mod-security.conf missing

as seen on Server Fault - Search for 'Server Fault'
Greetings Serverfaultians. I'm not a server guy as you can see from my noob score of 1 point. But maybe those more versed can help me. I'm using Ubuntu v13.10 32-bit Server and Apache2 v2.4.6 and I'm trying to set up and configure modsecurity and modevasive on an internet-exposed production/test… >>> More
How to detect brute force in mod-security

as seen on Server Fault - Search for 'Server Fault'
I checked the core rules set in the mod-security but it's didn't contain the rules related to Brute-Force Attack!!! Did anyone know how to write the rules or the existing rules for this kind of Attack! Thanks in advanced, >>> More
Necesity of ModSecurity if Apache is behind Nginx

as seen on Server Fault - Search for 'Server Fault'
I have my Apache installed behind Nginx. So every request that comes in is first handeled by Nginx. If there is dynamic content needed the request is send to Apache which listens on port 8080. Pretty basic reverse proxy setup. Now with this setup the first entry point is Nginx. Is it still needed… >>> More
Detecting Request that uses invalid Encoding using Modsecurity

as seen on Server Fault - Search for 'Server Fault'
I am trying write a virtual patch using modsecurity for my hosted web application using following rule i.e. <Location /index.php> SecDefaultAction phase:2,t:none,log,deny # Validate parameter names SecRule ARGS_NAMES "!^(articleid)$" \ "msg:'Unknown parameter: %{MATCHED_VAR_NAME}'" # Expecting… >>> More

Related posts about web-applications

Modularizing web applications

as seen on Stack Overflow - Search for 'Stack Overflow'
Hey all, I was wondering how big companies tend to modularize components on their page. Facebook is a good example: There's a team working on Search that has its own CSS, javascript, html, etc.. There's a team working on the news feed that has its own CSS, javascript, html, etc… >>> More
Adding AJAX Support to Windows Mobile Web Applications

as seen on Internet.com - Search for 'Internet.com'
In this article, you will learn how you can utilize AJAX scripts even in Web applications targeted for Windows Mobile applications. >>> More
Globalize your Web Applications: The Universal Character Set

as seen on Internet.com - Search for 'Internet.com'
This fourth article the Globalize your Web Applications series deals with something that's at the forefront of your web apps: the character sets. More specifically, we'll be taking a look at the Universal Character Set (UCS) and its role in creating multilingual web pages. >>> More
Globalize your Web Applications: PHP's Locale Formatting Classes

as seen on Internet.com - Search for 'Internet.com'
In part 3 of the Globalize your Web Applications series, we'll be exploring PHP's I18N_Number and I18N_Currency classes, both of which are part of the I18N Libraries. >>> More
Singleton pattern in web applications

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm using a singleton pattern for the datacontext in my web application so that I dont have to instantiate it every time, however I'm not sure how web applications work, does IIS open a thread for every user connected? if so, what would happend if my singleton is not thread safe? Also, is it OK to… >>> More