December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Recipe 15-1: JavaScript Cookie Testing
This recipe shows you how to validate browser clients by issuing a JavaScript cookie test.
Ingredients
- ModSecurity
- SecContentInjection directive
- SecStreamOutBodyInspection directive
- STREAM_OUTPUT_BODY variable
- @rsub operator
When your web application is under a severe attack, it is helpful to be able to identify real clients using web browsers from automated client programs. One method of doing this is to issue a JavaScript cookie test. You simply send some JavaScript to the client that creates a new cookie value. If the client is using a real web browser, it will most likely automatically create the cookie value and submit it back with subsequent requests. If the client is an automated attack program or script, however, it does not execute the JavaScript code. If the client does not execute JavaScript, the cookie is not created, and we can easily identify the client as nonhuman.
The first step is to use ModSecurity to dynamically add JavaScript calls in the HTML header tag to include our new browser validation cookie code. These rules add the code to the main page URL by using the @rsub operator to inject our code after the HTML <head> tag:
SecContentInjection On
SecStreamOutBodyInspection On
SecRule REQUEST_FILENAME "@streq /" "chain,phase:4,t:none,nolog
,pass"
SecRule &IP:NOT_BOT_SENT "!@eq 0" "chain"
SecRule STREAM_OUTPUT_BODY "@rsub s/<head>/<head>
<script>document.cookie = \
"not_bot=10e82e54fad29fad98a5a67eb90c5a02c4b6942f\; ...Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.