December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 5-13: Detecting Parameter Character Class Anomalies
This recipe demonstrates how to identify when attackers use unexpected characters in the parameter payloads.
Ingredients
- OWASP AppSensor15
- Unexpected Type of Characters in Parameter
- ModSecurity
- modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
- modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf
- appsensor_request_exception_enforce.lua
- appsensor_request_exception_profile.lua
After the Lua profiling scripts outlined in Recipe 1-1 have completed for this resource, we have the following learned profile:
Resolved macro %{request_headers.host} to: 192.168.168.128 Resolved macro %{request_filename} to: /dvwa/vulnerabilities/brute/ Read variable: name "__expire_KEY", value "1334936349". Read variable: name "KEY", value "192.168.168.128_/dvwa/ vulnerabilities/brute/". Read variable: name "TIMEOUT", value "3600". Read variable: name "__key", value "192.168.168.128_/dvwa/ vulnerabilities/brute/". Read variable: name "__name", value "resource". Read variable: name "CREATE_TIME", value "1334932695". Read variable: name "UPDATE_COUNTER", value "10". Read variable: name "min_pattern_threshold", value "5". Read variable: name "min_traffic_threshold", value "10". Read variable: name "traffic_counter", value "10". Read variable: name "ARGS:username_length_8_counter", value "5". Read variable: name "ARGS:password_length_9_counter", value "5". Read variable: name "LAST_UPDATE_TIME", value "1334932749". ...