December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 8-2: Detecting Cookie Tampering
This recipe shows you how to identify when attackers attempt to change cookie data.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_appsensor_detection_point_2.3_session_exception.conf
- ModSecurity
- RESPONSE_HEADERS:Set-Cookie variable
- REQUEST_HEADERS:Cookie variable
- setsid action
- setvar action
Because applications take data submitted by clients within Cookie fields and act upon them, they become a ripe target for attackers. Cookie data may tell the application who you are, whether you have authenticated successfully, or what your role is within the application. Malicious users attempt to circumvent this logic by manipulating cookies to try to gain unauthorized access to data.
Sample Cookie-Based SQL Injection Attack
As an example, let’s look at the following dZemo bank login transaction:
POST /bank/login.aspx HTTP/1.1 Host: demo.testfire.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Proxy-Connection: keep-alive Referer: http://demo.testfire.net/bank/login.aspx Content-Type: application/x-www-form-urlencoded Content-Length: 42 Uid=bsmith&passw=Pa$$wd123&btnSubmit=Login HTTP/1.1 302 Found X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: /bank/main.aspx Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: ...