Recipe 5-13: Detecting Parameter Character Class Anomalies
This recipe demonstrates how to identify when attackers use unexpected characters in the parameter payloads.
Ingredients
- OWASP AppSensor15
- Unexpected Type of Characters in Parameter
- ModSecurity
- modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
- modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf
- appsensor_request_exception_enforce.lua
- appsensor_request_exception_profile.lua
After the Lua profiling scripts outlined in Recipe 1-1 have completed for this resource, we have the following learned profile:
Resolved macro %{request_headers.host} to: 192.168.168.128 Resolved macro %{request_filename} to: /dvwa/vulnerabilities/brute/ Read variable: name "__expire_KEY", value "1334936349". Read variable: name "KEY", value "192.168.168.128_/dvwa/ vulnerabilities/brute/". Read variable: name "TIMEOUT", value "3600". Read variable: name "__key", value "192.168.168.128_/dvwa/ vulnerabilities/brute/". Read variable: name "__name", value "resource". Read variable: name "CREATE_TIME", value "1334932695". Read variable: name "UPDATE_COUNTER", value "10". Read variable: name "min_pattern_threshold", value "5". Read variable: name "min_traffic_threshold", value "10". Read variable: name "traffic_counter", value "10". Read variable: name "ARGS:username_length_8_counter", value "5". Read variable: name "ARGS:password_length_9_counter", value "5". Read variable: name "LAST_UPDATE_TIME", value "1334932749". ...Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
