December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 5-6: Detecting Request Method Anomalies
This recipe demonstrates how to figure out when abnormal HTTP request methods are being used for a resource.
Ingredients
- OWASP AppSensor7
- Unexpected HTTP Command
- ModSecurity
- modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
- modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf
- appsensor_request_exception_enforce.lua
- appsensor_request_exception_profile.lua
Global Request Method Allowed List
The first aspect of the HTTP request data to inspect is the request method. The OWASP ModSecurity Core Rule Set allows the administrator to define which HTTP request methods are allowed for the entire site in the modsecurity_crs_10_config.conf file:
#
# -=[ HTTP Policy Settings ]=-
#
# Set the following policy settings here and they will be propagated
# to the 30 rules file (modsecurity_crs_30_http_policy.conf) by
# using macro expansion. If you run into false positives, you can
# adjust the settings here.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ setvar:'tx.allowed_request_content_type= application/x-www-form-urlencoded|multipart/form-data text/xml| application/xml|application/x-amf', \ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ ...