Recipe 6-6: Detecting Dynamic Content Changes
This recipe shows you how to monitor the response body content of HTML pages to determine when the amount of dynamic code present in the page changes.
Ingredients
- ModSecurity
- modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
- modsecurity_crs_40_appsensor_detection_point_2.1_response_exception.conf
- appsensor_response_enforce.lua
- appsensor_response_profile.lua
Do you know when dynamic content on your web application changes? More specifically, do you know when the number of JavaScript calls or iframe tags changes? You should, because the unexpected addition of these types of data calls often indicates that an attacker has successfully completed a cross-site scripting (XSS) or planting-of-malware attack.
To identify these page anomalies, we can use the ModSecurity Lua API to profile the normal page sizes for each resource and save that data in a persistent collection. The OWASP ModSecurity Core Rule Set includes a file called modsecurity_crs_40_appsensor_2.1_response_exception.conf, which includes the following rules that profile response data:
# # --[ Begin Profiling Phase ]-- # SecMarker BEGIN_RES_PROFILE_ANALYSIS SecRule RESPONSE_STATUS "^404$" "phase:5,id:'981099',t:none,nolog, pass,setvar:!resource.KEY,skipAfter:END_RES_PROFILE_ANALYSIS" SecRule RESPONSE_STATUS "^(5|4)" "phase:5,id:'981100',t:none,nolog, pass,skipAfter:END_RES_PROFILE_ANALYSIS" SecRule TX:ANOMALY_SCORE "!@eq 0" "phase:5,id:'981101',t:none,nolog, ...Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
