CRSF Protection Not Compatible with OAM #4

Closed
renroy opened this Issue Oct 3, 2012 · 3 comments

Projects

None yet

2 participants

@renroy
renroy commented Oct 3, 2012

Enabling CRSF protection (modsecurity_crs_43_crsf_protection.conf and modsecurity_crs_16_session_hijacking.conf) seems to break Oracle Access Manager login. Testing shows that modsecurity CRS for CRSF protection appends JavaScript to the end of the page, however, it's after the closing html tag and therefore is not rendered correctly. Additionally, if CRSF is left enabled, then login into the OAM protected resource is impaired.

@rcbarnett
Contributor

Looks like you might need to use the @rsub operator to add in CSRF tokens server-side. See this blog post - http://blog.spiderlabs.com/2011/08/detecting-malice-with-modsecurity-updated-csrf-attacks.html

@renroy
renroy commented Oct 4, 2012

Thank you for the response.
Specifically, does the @rsub rule get added somewhere in the modsecurity_crs_43_csrf_protection.conf or is should an entirely new .conf be created having only this rule and substituted for crs_43 because it's using Apache's mod_unique_id token?

@rcbarnett
Contributor

Yes, this is a bit confusing as I showed the PoC of using @rsub in the blog post but it isn't straight forward for how to use it with the current CRS csrf rules.

  1. For the creation of the anti-CSRF token, we have updated the rules in the modsecurity_crs_16_session_hijacking.conf file -

This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid

SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-]?(id)?|cf(id|token)|sid).?=([^\s]._?);\s?)" "chain,phase:3,id:'981062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:tx.ua=%{request_headers.user-agent}"
SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"

This creates the session.csrf_token value vased on a haash of the Apache mod_uniqueid value for the transaction.

  1. Using the modsecurity_crs_43_csrf_protection.conf file. You still want to use that file as it has the enforcement rules, however you will want to comment out or disable rule ID 981145 as you do not want to append the client side JS code to response.

  2. You will then want to create a new rules conf file and add in something like this -

SecRule STREAM_OUTPUT_BODY "@rsub s/</form>/<input type="hidden" name="rv_token" value="%{session.csrf_token}"></form>/"
"id:'1',phase:4,t:none,nolog,pass"

Hope this info helps.

@rcbarnett rcbarnett closed this Jul 1, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment