8 May 12:03
Re: Header sanitization
From: Nick Gearls <nickgearls <at> gmail.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 10:03:13 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 10:03:13 GMT
Would be great to be able to add a username from a HTML form also (with
a specific directive obviously), as many applications do not use basic auth.
I did this - with a similar trick - but it is lost on the next request,
although I registered the session id.
Any idea to remember the userid from the session ?
Ivan Ristic wrote:
> Actually, I think the username)is relevant information that needs to
> be recorded in the audit log automatically. I'll open a ticket for it.
>
> On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
>> That's great, although the syntax is a bit more complex:
>>
>> # Add Basic Authentication userid to logs
>> SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
>> "phase:1,chain,t:none,capture,nolog,pass"
>> SecRule TX:1 "^(.*)$" \
>> "chain,t:none,t:base64Decode,capture"
>> SecRule TX:1 "^([^:]+)" \
>> "t:none,capture,setuid:%{TX.1}"
>>
>> Thanks,
>>
>> Nick
>>
>>
>>
>>
>> Brian Rectanus wrote:
>> > Brian Rectanus wrote:
>> >> If you just want to log the username in the audit log, then you should
>> >> be able to use setuid action for this.
>> >>
>> >> EX:
>> >> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
>> >>
>> >> OR, if you want it for all, not just authenticated:
>> >>
>> >> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
>> >> "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
>> >
>> > Forgot the "capture,pass,nolog" action in the above.
>> >
>> > -B
>> >
>> >> And in the audit log you should have the following in part 'H'
>> >>
>> >> WebApp-Info: "WebAppName" "SessionId" "UserName"
>> >>
>> >> -B
>> >>
>> >> Nick Gearls wrote:
>> >>> I found a possible solution.
>> >>> If we write a filter to strip the password, then we could
>> >>> 1. map the "base64(user:pwd)"
>> >>> 2. decode64 it, strip pwd, and map it again
>> >>> 3. print TX.1 in log
>> >>>
>> >>>
>> >>> Questions:
>> >>>
>> >>> 1. Any generic function to strip things after the colon ?
>> >>> If not, we could write a generic sub plug-in.
>> >>>
>> >>> 2. This works on rules checking the Authorization header.
>> >>> Any way to add this for all log entries ?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Nick
>> >>>
>> >>>
>> >>> Nick Gearls wrote:
>> >>>> Hello,
>> >>>>
>> >>>> For obvious privacy reasons, it is advisable to sanitize the header
>> >>>> "Authorization" in the log.
>> >>>> However, it may be handy to have the userid part of it in case of an
>> >>>> error trap.
>> >>>> Any possibility ?
>> >>>>
>> >>>> Thanks,
>> >>>>
>> >>>> Nick
>> >>>>
>> >>>>
>> >>> -------------------------------------------------------------------------
>> >>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>> >>> Don't miss this year's exciting event. There's still time to save $100.
>> >>> Use priority code J8TL2D2.
>> >>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> >>> _______________________________________________
>> >>> mod-security-users mailing list
>> >>> mod-security-users <at> lists.sourceforge.net
>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> >>>
>> >>
>> >
>> >
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>> Don't miss this year's exciting event. There's still time to save $100.
>> Use priority code J8TL2D2.
>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed