December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 6-6: Detecting Dynamic Content Changes
This recipe shows you how to monitor the response body content of HTML pages to determine when the amount of dynamic code present in the page changes.
Ingredients
- ModSecurity
- modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
- modsecurity_crs_40_appsensor_detection_point_2.1_response_exception.conf
- appsensor_response_enforce.lua
- appsensor_response_profile.lua
Do you know when dynamic content on your web application changes? More specifically, do you know when the number of JavaScript calls or iframe tags changes? You should, because the unexpected addition of these types of data calls often indicates that an attacker has successfully completed a cross-site scripting (XSS) or planting-of-malware attack.
To identify these page anomalies, we can use the ModSecurity Lua API to profile the normal page sizes for each resource and save that data in a persistent collection. The OWASP ModSecurity Core Rule Set includes a file called modsecurity_crs_40_appsensor_2.1_response_exception.conf, which includes the following rules that profile response data:
# # --[ Begin Profiling Phase ]-- # SecMarker BEGIN_RES_PROFILE_ANALYSIS SecRule RESPONSE_STATUS "^404$" "phase:5,id:'981099',t:none,nolog, pass,setvar:!resource.KEY,skipAfter:END_RES_PROFILE_ANALYSIS" SecRule RESPONSE_STATUS "^(5|4)" "phase:5,id:'981100',t:none,nolog, pass,skipAfter:END_RES_PROFILE_ANALYSIS" SecRule TX:ANOMALY_SCORE "!@eq 0" "phase:5,id:'981101',t:none,nolog, ...