Recipe 13-4: Data Sharing with Request Header Tagging
This recipe shows you how to share security event information with other security systems by adding request header data.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_49_header_tagging.conf
- Apache
- mod_headers header
- ModSecurity
- TX:ANOMALY_SCORE variable
- REQUEST_BODY variable
- @eq operator
- setvar action
- setenv action
A common security architecture is to deploy a web application firewall within a demilitarized zone (DMZ) network segment to act as a reverse proxy for protected web applications. With this setup, the WAF can inspect requests and decide whether to allow the transaction to continue and proxy it onto the downstream web application it is protecting. This setup works well for obvious attack traffic, but there may be some situations in which the WAF identifies some lower-level security issues. However, they are not at a level that would cause the traffic to be blocked. In these situations, intelligence is lost when the WAF sends the request to the destination web application. Wouldn’t it be great if your WAF could share its data with the application it is protecting? This concept is called request header tagging.
This concept is similar in theory to antispam SMTP applications that add additional MIME headers to e-mails, providing the spam detection analysis information. If your e-mail server uses this type of spam filtering, you may be able to view the source of your e-mail message and ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
