File: modsecurity_crs_43_csrf_protection.conf

package info (click to toggle)
modsecurity-crs 2.2.9-1+deb8u1
  • links: PTS
  • area: main
  • in suites: jessie
  • size: 3,064 kB
  • ctags: 219
  • sloc: perl: 1,002; ansic: 727; ruby: 69; makefile: 18
file content (109 lines) | stat: -rw-r--r-- 3,518 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.9
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# You must have also activated the 16 session hijacking conf file as
# it initiates the Session Collection and creates the CSRF token
#

#
# CSRF Protections
#
# Must set this directive to On to inject content in the response.
#
SecContentInjection On

#
# It is most likely not appropriate to force CSRF tokens/validation on *all* resources.
# You should edit the LocationMatch Regular Expression below and specify what resources
# you wish to protect.  Some ideas would be for post-authentiacation directories, etc...
#
# Limitations - this implementation does not currently work with AJAX
#
<LocationMatch .*>
SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF Attack Detected - Missing CSRF Token.'"
 SecRule &ARGS:CSRF_TOKEN "!@eq 1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"

SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF Attack Detected - Invalid Token.'"
 SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"



#
# This rule will use Content Injection to append the CSRF Token 
#
SecRule &SESSION:CSRF_TOKEN "@eq 1" "phase:4,id:'981145',t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> \
\
var tokenName = \'CSRF_TOKEN\'; \
var tokenValue = \'%{session.csrf_token}\'; \
\
function updateTags() { \
\
        var all = document.all ? document.all : document.getElementsByTagName(\'*\'); \
        var len = all.length; \
\
        for(var i=0; i<len; i++) { \
                var e = all[i]; \
                \
                updateTag(e, \'src\'); \
                updateTag(e, \'href\'); \
        } \
} \
\
function updateForms() { \
\
        var forms = document.getElementsByTagName(\'form\'); \
                \
        for(i=0; i<forms.length; i++) { \
                var html = forms[i].innerHTML; \
                \
                html += \'<input type=hidden name=\' + tokenName + \' value=\' + tokenValue + \' />\'; \
\
                forms[i].innerHTML = html; \
        } \
\
} \
\
function updateTag(element, attr) { \
\
        var location = element.getAttribute(attr); \
\
        if(location != null && location != \'\' && isHttpLink(location)) { \
\
                var index = location.indexOf(\'?\'); \
\
                if(index != -1) { \
                        location = location + \'&\' + tokenName + \'=\' + tokenValue; \
                } else { \
                        location = location + \'?\' + tokenName + \'=\' + tokenValue; \
                } \
\
                element.setAttribute(attr, location); \
\
        } \
\
} \
\
function isHttpLink(src) { \
        var result = 0; \
                \
        if(src.substring(0, 4) != \'http\' || src.substring(0, 1) == \'/\') { \
                result = 1; \
        } \
        \
        return result; \
} \
\
updateTags(); \
updateForms(); \
\
</script></html>'"

</LocationMatch>