December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 5-7: Detecting Invalid URI Data
This recipe shows you how to identify invalid URI data usage.
Ingredients
- OWASP AppSensor8
- Violation of Implemented White Lists
- ModSecurity
- @rx operator
HTTP RFC 2616 defines the proper format for the HTTP scheme with optional components:
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]On the basis of this information, we can enforce compliance with this format for inbound HTTP requests. The OWASP ModSecurity Core Rule Set includes the following rule within the modsecurity_crs_20_protocol_violations.conf file:
# # Some protocol violations are common in application layer attacks. # Validating HTTP requests eliminates a large number of application # layer attacks. # # The purpose of this rules file is to enforce HTTP RFC requirements # that state how the client is supposed to interact with the server. # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html # # Validate request line against the format specified in the HTTP RFC # # -=[ Rule Logic ]=- # # Uses rule negation against the regex for positive security. The # regex specifies the proper construction of URI request lines such # as: # # "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] # # It also outlines proper construction for CONNECT, OPTIONS and GET # requests. # # -=[ References ]=- # https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./] ...