Recipe 5-7: Detecting Invalid URI Data
This recipe shows you how to identify invalid URI data usage.
Ingredients
- OWASP AppSensor8
- Violation of Implemented White Lists
- ModSecurity
- @rx operator
HTTP RFC 2616 defines the proper format for the HTTP scheme with optional components:
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]On the basis of this information, we can enforce compliance with this format for inbound HTTP requests. The OWASP ModSecurity Core Rule Set includes the following rule within the modsecurity_crs_20_protocol_violations.conf file:
# # Some protocol violations are common in application layer attacks. # Validating HTTP requests eliminates a large number of application # layer attacks. # # The purpose of this rules file is to enforce HTTP RFC requirements # that state how the client is supposed to interact with the server. # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html # # Validate request line against the format specified in the HTTP RFC # # -=[ Rule Logic ]=- # # Uses rule negation against the regex for positive security. The # regex specifies the proper construction of URI request lines such # as: # # "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] # # It also outlines proper construction for CONNECT, OPTIONS and GET # requests. # # -=[ References ]=- # https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./] ...Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
