9 May 17:55
Re: Header sanitization
From: Brian Rectanus <Brian.Rectanus <at> breach.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-09 15:55:58 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-09 15:55:58 GMT
Th setuid action is what sets USERID, so it is empty to begin with. You
want REMOTE_USER:
SecRule REMOTE_USER "." pass,nolog,setuid:%{REMOTE_USER}
Or you need to parse out the user and put it in TX.1 or similar via capture.
-B
Nick Gearls wrote:
> I tried the following, but it doesn't work
> SecRule USERID "." pass,nolog,setuid:%{USERID}
>
> I also tried
> # Set userid again into session
> SecRule SESSION:user "." pass,setuid:%{SESSION.user},log
> ...
> # Save userid into session
> SecRule USERID "." pass,log,setvar:SESSION.user=%{USERID}
>
> And even
> # Set userid again into session
> SecRule SESSION:user "." pass,setuid:%{SESSION.user},log
> # Add Basic Authentication userid to logs
> SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
> "phase:1,chain,t:none,capture,nolog,pass"
> SecRule TX:1 "^(.*)$" \
> "chain,t:none,t:base64Decode,capture"
> SecRule TX:1 "^([^:]+)" \
> "t:none,capture,setuid:%{TX.1},setvar:SESSION.user=%{TX.1}"
>
> no way to get the userid remembered.
> I assume I missed something !?!
>
> Thanks,
>
> Nick
>
> Ivan Ristic wrote:
>> Yes, you store it in the session storage, then, on every request, you
>> take the username from the session storage and run it against setuid.
>>
>> Although this too is something I would expect ModSecurity to do
>> automatically. Adding another ticket. (Keep those requests coming!)
>>
>> On Thu, May 8, 2008 at 11:03 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
>>> Would be great to be able to add a username from a HTML form also (with a
>>> specific directive obviously), as many applications do not use basic
> auth.
>>> I did this - with a similar trick - but it is lost on the next request,
>>> although I registered the session id.
>>>
>>> Any idea to remember the userid from the session ?
>>>
>>>
>>>
>>> Ivan Ristic wrote:
>>>
>>>> Actually, I think the username)is relevant information that needs to
>>>> be recorded in the audit log automatically. I'll open a ticket for it.
>>>>
>>>> On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com>
> wrote:
>>>>
>>>>> That's great, although the syntax is a bit more complex:
>>>>>
>>>>> # Add Basic Authentication userid to logs
>>>>> SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
>>>>> "phase:1,chain,t:none,capture,nolog,pass"
>>>>> SecRule TX:1 "^(.*)$" \
>>>>> "chain,t:none,t:base64Decode,capture"
>>>>> SecRule TX:1 "^([^:]+)" \
>>>>> "t:none,capture,setuid:%{TX.1}"
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Nick
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Brian Rectanus wrote:
>>>>> > Brian Rectanus wrote:
>>>>> >> If you just want to log the username in the audit log, then you
>>> should
>>>>> >> be able to use setuid action for this.
>>>>> >>
>>>>> >> EX:
>>>>> >> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
>>>>> >>
>>>>> >> OR, if you want it for all, not just authenticated:
>>>>> >>
>>>>> >> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
>>>>> >> "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
>>>>> >
>>>>> > Forgot the "capture,pass,nolog" action in the above.
>>>>> >
>>>>> > -B
>>>>> >
>>>>> >> And in the audit log you should have the following in part 'H'
>>>>> >>
>>>>> >> WebApp-Info: "WebAppName" "SessionId" "UserName"
>>>>> >>
>>>>> >> -B
>>>>> >>
>>>>> >> Nick Gearls wrote:
>>>>> >>> I found a possible solution.
>>>>> >>> If we write a filter to strip the password, then we could
>>>>> >>> 1. map the "base64(user:pwd)"
>>>>> >>> 2. decode64 it, strip pwd, and map it again
>>>>> >>> 3. print TX.1 in log
>>>>> >>>
>>>>> >>>
>>>>> >>> Questions:
>>>>> >>>
>>>>> >>> 1. Any generic function to strip things after the colon ?
>>>>> >>> If not, we could write a generic sub plug-in.
>>>>> >>>
>>>>> >>> 2. This works on rules checking the Authorization header.
>>>>> >>> Any way to add this for all log entries ?
>>>>> >>>
>>>>> >>> Thanks,
>>>>> >>>
>>>>> >>> Nick
>>>>> >>>
>>>>> >>>
>>>>> >>> Nick Gearls wrote:
>>>>> >>>> Hello,
>>>>> >>>>
>>>>> >>>> For obvious privacy reasons, it is advisable to sanitize the
>>> header
>>>>> >>>> "Authorization" in the log.
>>>>> >>>> However, it may be handy to have the userid part of it in case of
>>> an
>>>>> >>>> error trap.
>>>>> >>>> Any possibility ?
>>>>> >>>>
>>>>> >>>> Thanks,
>>>>> >>>>
>>>>> >>>> Nick
>>>>> >>>>
>>>>> >>>>
>>>>> >>>
>>> -------------------------------------------------------------------------
>>>>> >>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>>>>> >>> Don't miss this year's exciting event. There's still time to save
>>> $100.
>>>>> >>> Use priority code J8TL2D2.
>>>>> >>>
>>>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>>>>> >>> _______________________________________________
>>>>> >>> mod-security-users mailing list
>>>>> >>> mod-security-users <at> lists.sourceforge.net
>>>>> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>> >>>
>>>>> >>
>>>>> >
>>>>> >
>>>>>
>>>>>
>>> -------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>>>>> Don't miss this year's exciting event. There's still time to save
> $100.
>>>>> Use priority code J8TL2D2.
>>>>>
>>>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>>>>> _______________________________________________
>>>>> mod-security-users mailing list
>>>>> mod-security-users <at> lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
--
Brian Rectanus
Breach Security
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed