December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 11-1: Detecting Large File Sizes
This recipe shows you how to use ModSecurity to enforce limits on the size of file uploads.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_10_setup.conf
- modsecurity_crs_23_request_limits.conf
- ModSecurity
- FILES_SIZES variable
- FILES_COMBINED_SIZE variable
- @gt operator
CWE-119: Uncontrolled Resource Consumption (“Resource Exhaustion”)
Limited resources include memory, file system storage, database connection pool entries, or CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the software, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.
Sample Attack
If the target web application does not restrict the size of files accepted for a file uploading resource, attackers may be able to cause a denial-of-service condition by filling up the local disk storage on the web server.
Preventing Large File Uploads
You can implement file upload restrictions using the following ModSecurity rules. The OWASP ModSecurity Core Rule Set includes the following variable definitions in the modsecurity_crs_10_setup.conf ...