9 May 08:33
Re: Header sanitization
From: Nick Gearls <nickgearls <at> gmail.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-09 06:33:29 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-09 06:33:29 GMT
I tried the following, but it doesn't work
SecRule USERID "." pass,nolog,setuid:%{USERID}
I also tried
# Set userid again into session
SecRule SESSION:user "." pass,setuid:%{SESSION.user},log
...
# Save userid into session
SecRule USERID "." pass,log,setvar:SESSION.user=%{USERID}
And even
# Set userid again into session
SecRule SESSION:user "." pass,setuid:%{SESSION.user},log
# Add Basic Authentication userid to logs
SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
"phase:1,chain,t:none,capture,nolog,pass"
SecRule TX:1 "^(.*)$" \
"chain,t:none,t:base64Decode,capture"
SecRule TX:1 "^([^:]+)" \
"t:none,capture,setuid:%{TX.1},setvar:SESSION.user=%{TX.1}"
no way to get the userid remembered.
I assume I missed something !?!
Thanks,
Nick
Ivan Ristic wrote:
> Yes, you store it in the session storage, then, on every request, you
> take the username from the session storage and run it against setuid.
>
> Although this too is something I would expect ModSecurity to do
> automatically. Adding another ticket. (Keep those requests coming!)
>
> On Thu, May 8, 2008 at 11:03 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
>> Would be great to be able to add a username from a HTML form also (with a
>> specific directive obviously), as many applications do not use basic auth.
>> I did this - with a similar trick - but it is lost on the next request,
>> although I registered the session id.
>>
>> Any idea to remember the userid from the session ?
>>
>>
>>
>> Ivan Ristic wrote:
>>
>>> Actually, I think the username)is relevant information that needs to
>>> be recorded in the audit log automatically. I'll open a ticket for it.
>>>
>>> On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
>>>
>>>> That's great, although the syntax is a bit more complex:
>>>>
>>>> # Add Basic Authentication userid to logs
>>>> SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
>>>> "phase:1,chain,t:none,capture,nolog,pass"
>>>> SecRule TX:1 "^(.*)$" \
>>>> "chain,t:none,t:base64Decode,capture"
>>>> SecRule TX:1 "^([^:]+)" \
>>>> "t:none,capture,setuid:%{TX.1}"
>>>>
>>>> Thanks,
>>>>
>>>> Nick
>>>>
>>>>
>>>>
>>>>
>>>> Brian Rectanus wrote:
>>>> > Brian Rectanus wrote:
>>>> >> If you just want to log the username in the audit log, then you
>> should
>>>> >> be able to use setuid action for this.
>>>> >>
>>>> >> EX:
>>>> >> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
>>>> >>
>>>> >> OR, if you want it for all, not just authenticated:
>>>> >>
>>>> >> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
>>>> >> "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
>>>> >
>>>> > Forgot the "capture,pass,nolog" action in the above.
>>>> >
>>>> > -B
>>>> >
>>>> >> And in the audit log you should have the following in part 'H'
>>>> >>
>>>> >> WebApp-Info: "WebAppName" "SessionId" "UserName"
>>>> >>
>>>> >> -B
>>>> >>
>>>> >> Nick Gearls wrote:
>>>> >>> I found a possible solution.
>>>> >>> If we write a filter to strip the password, then we could
>>>> >>> 1. map the "base64(user:pwd)"
>>>> >>> 2. decode64 it, strip pwd, and map it again
>>>> >>> 3. print TX.1 in log
>>>> >>>
>>>> >>>
>>>> >>> Questions:
>>>> >>>
>>>> >>> 1. Any generic function to strip things after the colon ?
>>>> >>> If not, we could write a generic sub plug-in.
>>>> >>>
>>>> >>> 2. This works on rules checking the Authorization header.
>>>> >>> Any way to add this for all log entries ?
>>>> >>>
>>>> >>> Thanks,
>>>> >>>
>>>> >>> Nick
>>>> >>>
>>>> >>>
>>>> >>> Nick Gearls wrote:
>>>> >>>> Hello,
>>>> >>>>
>>>> >>>> For obvious privacy reasons, it is advisable to sanitize the
>> header
>>>> >>>> "Authorization" in the log.
>>>> >>>> However, it may be handy to have the userid part of it in case of
>> an
>>>> >>>> error trap.
>>>> >>>> Any possibility ?
>>>> >>>>
>>>> >>>> Thanks,
>>>> >>>>
>>>> >>>> Nick
>>>> >>>>
>>>> >>>>
>>>> >>>
>> -------------------------------------------------------------------------
>>>> >>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>>>> >>> Don't miss this year's exciting event. There's still time to save
>> $100.
>>>> >>> Use priority code J8TL2D2.
>>>> >>>
>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>>>> >>> _______________________________________________
>>>> >>> mod-security-users mailing list
>>>> >>> mod-security-users <at> lists.sourceforge.net
>>>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> >>>
>>>> >>
>>>> >
>>>> >
>>>>
>>>>
>> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>>>> Don't miss this year's exciting event. There's still time to save $100.
>>>> Use priority code J8TL2D2.
>>>>
>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod-security-users <at> lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>
>>>>
>>>
>>>
>>>
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed