Recipe 6-1: Detecting Response Header Anomalies
This recipe shows you how to identify anomalous response header content.
Ingredients
- ModSecurity
- RESPONSE_STATUS variable
- REQUEST_COOKIES variable
- REQUEST_COOKIES_NAMES variable
- REQUEST_FILENAME variable
- ARGS_NAMES variable
- ARGS variable
- XML variable
- SecRule directive
- SecAction directive
- Lua API
- appsensor_response_profile.lua
- appsensor_response_enforce.lua
Much in the same way that we analyzed inbound request headers for anomalies in Chapter 5, we can review the outbound response headers. We want to focus on three main areas:
- HTTP status codes
- HTTP response splitting attacks
- Malware redirection attacks
HTTP Status Codes
HTTP status codes offer the client a general status for the transaction. There are five different code levels, with many subcategories:
- 100: Informational
- 100 Continue
- 101 Switching Protocols
- 200: Success
- 200 OK
- 201 Created
- 202 Accepted
- 203 Non-Authoritative Information
- 204 No Content
- 205 Reset Content
- 206 Partial Content
- 300: Redirection
- 300 Multiple Choices
- 301 Moved Permanently
- 302 Found
- 303 See Other
- 304 Not Modified
- 305 Use Proxy
- 306 (Unused)
- 307 Temporary Redirect
- 400: Client errors
- 400 Bad Request
- 401 Unauthorized
- 402 Payment Required
- 403 Forbidden
- 404 Not Found
- 405 Method Not Allowed
- 406 Not Acceptable
- 407 Proxy Authentication Required
- 408 Request Timeout
- 409 Conflict
- 410 Gone
- 411 Length Required
- 412 Precondition Failed
- 413 Request Entity Too Large
- 414 Request-URI Too Long
- 415 Unsupported ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
