8 May 12:12
Re: Header sanitization
From: Ivan Ristic <ivan.ristic <at> gmail.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 10:12:40 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 10:12:40 GMT
Yes, you store it in the session storage, then, on every request, you
take the username from the session storage and run it against setuid.
Although this too is something I would expect ModSecurity to do
automatically. Adding another ticket. (Keep those requests coming!)
On Thu, May 8, 2008 at 11:03 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> Would be great to be able to add a username from a HTML form also (with a
> specific directive obviously), as many applications do not use basic auth.
> I did this - with a similar trick - but it is lost on the next request,
> although I registered the session id.
>
> Any idea to remember the userid from the session ?
>
>
>
> Ivan Ristic wrote:
>
> > Actually, I think the username)is relevant information that needs to
> > be recorded in the audit log automatically. I'll open a ticket for it.
> >
> > On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> >
> > > That's great, although the syntax is a bit more complex:
> > >
> > > # Add Basic Authentication userid to logs
> > > SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
> > > "phase:1,chain,t:none,capture,nolog,pass"
> > > SecRule TX:1 "^(.*)$" \
> > > "chain,t:none,t:base64Decode,capture"
> > > SecRule TX:1 "^([^:]+)" \
> > > "t:none,capture,setuid:%{TX.1}"
> > >
> > > Thanks,
> > >
> > > Nick
> > >
> > >
> > >
> > >
> > > Brian Rectanus wrote:
> > > > Brian Rectanus wrote:
> > > >> If you just want to log the username in the audit log, then you
> should
> > > >> be able to use setuid action for this.
> > > >>
> > > >> EX:
> > > >> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
> > > >>
> > > >> OR, if you want it for all, not just authenticated:
> > > >>
> > > >> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
> > > >> "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
> > > >
> > > > Forgot the "capture,pass,nolog" action in the above.
> > > >
> > > > -B
> > > >
> > > >> And in the audit log you should have the following in part 'H'
> > > >>
> > > >> WebApp-Info: "WebAppName" "SessionId" "UserName"
> > > >>
> > > >> -B
> > > >>
> > > >> Nick Gearls wrote:
> > > >>> I found a possible solution.
> > > >>> If we write a filter to strip the password, then we could
> > > >>> 1. map the "base64(user:pwd)"
> > > >>> 2. decode64 it, strip pwd, and map it again
> > > >>> 3. print TX.1 in log
> > > >>>
> > > >>>
> > > >>> Questions:
> > > >>>
> > > >>> 1. Any generic function to strip things after the colon ?
> > > >>> If not, we could write a generic sub plug-in.
> > > >>>
> > > >>> 2. This works on rules checking the Authorization header.
> > > >>> Any way to add this for all log entries ?
> > > >>>
> > > >>> Thanks,
> > > >>>
> > > >>> Nick
> > > >>>
> > > >>>
> > > >>> Nick Gearls wrote:
> > > >>>> Hello,
> > > >>>>
> > > >>>> For obvious privacy reasons, it is advisable to sanitize the
> header
> > > >>>> "Authorization" in the log.
> > > >>>> However, it may be handy to have the userid part of it in case of
> an
> > > >>>> error trap.
> > > >>>> Any possibility ?
> > > >>>>
> > > >>>> Thanks,
> > > >>>>
> > > >>>> Nick
> > > >>>>
> > > >>>>
> > > >>>
> -------------------------------------------------------------------------
> > > >>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> > > >>> Don't miss this year's exciting event. There's still time to save
> $100.
> > > >>> Use priority code J8TL2D2.
> > > >>>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> > > >>> _______________________________________________
> > > >>> mod-security-users mailing list
> > > >>> mod-security-users <at> lists.sourceforge.net
> > > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > >>>
> > > >>
> > > >
> > > >
> > >
> > >
> -------------------------------------------------------------------------
> > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> > > Don't miss this year's exciting event. There's still time to save $100.
> > > Use priority code J8TL2D2.
> > >
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users <at> lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > >
> > >
> >
> >
> >
> >
>
--
--
Ivan Ristic
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed