December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 14-6: Spoofing Successful Attacks
This recipe shows you how to use ModSecurity to mimic successful attack responses.
Ingredients
- Apache
- mod_headers
- OWASP ModSecurity Core Rule Set
- modsecurity_crs_41_sql_injection_attacks.conf
- ModSecurity
- STREAM_OUTPUT_BODY variable
- @eq operator
- @rsub operator
- pause action
- proxy action
- setenv action
The response actions within this recipe are extensions of the honeytrap concepts discussed in Chapter 3. Building on response Recipe 14-5, which focused on lengthening the time-to-hack window by slowing down automated attack tools, we can use another technique to achieve similar results. We do this by simulating that the attack sent to the application actually worked. How can we do this? We will look at two specific examples.
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable ...