trAvis - MANAGER

Edit File: modsecurity_crs_55_application_defects.conf

# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.9 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- ############################################################################## # -=[ Charset Checks ]=- # # http://websecuritytool.codeplex.com/wikipage?title=Checks#charset ############################################################################## # # [ Charset not set ] # # - http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms # SecRule &GLOBAL:MISSING_CHARSET "@eq 0" "phase:5,t:none,nolog,pass,id:'981219',setvar:global.missing_charset=0" SecRule GLOBAL:MISSING_CHARSET "@le 10" "chain,phase:5,t:none,pass,id:'981220',log,msg:'[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'APP_DEFECT/MISCONFIGURATION',tag:'http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms'" SecRule RESPONSE_STATUS "@rx ^2" "chain" SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain" SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);?$)" "chain" SecRule RESPONSE_BODY "!@rx (?i:(<meta.*?(content|value)=\"text/html;\s?charset=|<\?xml.*?encoding=))" "setvar:global.missing_charset=+1,expirevar:global.missing_charset=86400" # # [ Charset not explicitly set to UTF-8 in HTML/XML content ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8 # - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection # SecRule &GLOBAL:CHARSET_NOT_UTF8 "@eq 0" "phase:5,t:none,nolog,pass,id:'981221',setvar:global.charset_not_utf8=0" SecRule GLOBAL:CHARSET_NOT_UTF8 "@le 10" "chain,phase:5,t:none,pass,id:'981222',log,msg:'[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8'" SecRule RESPONSE_STATUS "@rx ^2" "chain" SecRule RESPONSE_CONTENT_TYPE "(?i:(^text/html|^application/xml|^text/xml))" "chain" SecRule RESPONSE_CONTENT_TYPE "!@contains charset=utf-8" "chain,t:none,t:lowercase" SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain" SecRule RESPONSE_BODY "!@rx (<meta.*?(content|value)=\"text/html;\s?charset=utf-8|<\?xml.*?encoding=\"utf-8\")" "t:none,t:lowercase,setvar:global.charset_not_utf8=+1,expirevar:global.charset_not_utf8=86400" # # [ Detect charset mismatches between HTTP header and HTML/XML bodies ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch # - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection # SecRule &GLOBAL:CHARSET_MISMATCH "@eq 0" "phase:5,t:none,nolog,pass,id:'981223',setvar:global.charset_mismatch=0" SecRule GLOBAL:CHARSET_MISMATCH "@le 10" "chain,phase:5,t:none,pass,id:'981224',log,msg:'[Watcher Check] The charset specified was not the same in the HTTP Content-Type header and in the HTML content\'s meta tag',logdata:'Content-Type Response Header Charset is: %{tx.charset_header} and HTTP Equiv Charset is: %{tx.charset_body}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch'" SecRule RESPONSE_STATUS "@rx ^2" "chain" SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);\s?charset=([^;]*))" "chain,t:none,t:lowercase,capture,setvar:tx.charset_header=%{tx.2}" SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain" SecRule RESPONSE_BODY "(?i)(charset|encoding)=\"?(.*?)\"" "chain,t:none,t:lowercase,capture,setvar:tx.charset_body=%{tx.2}" SecRule TX:CHARSET_HEADER "!@streq %{tx.charset_body}" "t:none,setvar:global.charset_mismatch=+1,expirevar:global.charset_mismatch=86400" ############################################################################## # -=[ Cookie Checks ]=- # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies ############################################################################## # # [ Look for cookies with loosely scoped domain restrictions ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain # - http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies # SecRule &GLOBAL:LOOSE_DOMAIN_SCOPE "@eq 0" "phase:5,t:none,nolog,pass,id:'981237',setvar:global.loose_domain_scope=0" SecRule GLOBAL:LOOSE_DOMAIN_SCOPE "@le 10" "chain,phase:5,id:'981238',t:none,pass,log,auditlog,msg:'AppDefect: Loose Domain Cookie Flag Restrictions.',logdata:'Cookie: %{tx.1} and Domain: %{tx.2}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain'" SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!@rx (?i)domain=(?:(?!\d|-)[a-zA-Z0-9\-]{1,63}(?<!-)\.)([a-zA-Z0-9\-]{1,63}(?<!-)\.)(?:[a-zA-Z]{2,})" "chain,setvar:tx.set-cookie-counter=+1,setvar:tx.%{matched_var_name}_%{tx.set-cookie-counter}=%{matched_var}" SecRule TX:/^RESPONSE_HEADERS:Set-Cookie2?_/ "(?i)^(.*?);.*domain=(.*?);" "capture,setvar:global.loose_domain_scope=+1,expirevar:global.loose_domain_scope=86400" # # [ Cookie's HttpOnly Flag Was Not Set ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag # - https://www.owasp.org/index.php/HttpOnly # SecRule &GLOBAL:MISSING_HTTPONLY "@eq 0" "phase:5,t:none,nolog,pass,id:'981235',setvar:global.missing_httponly=0" SecRule GLOBAL:MISSING_HTTPONLY "@le 10" "chain,phase:5,id:'981184',t:none,pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag'" SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*httponly.*)(.*$)" "capture,setvar:global.missing_httponly=+1,expirevar:global.missing_httponly=86400" # # [ Fix Missing "httponly" Flag ] # Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly" # # [ Cookie's Secure Flag Was Not Set ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag # - https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_.22Secure.22_Cookie_Flag # SecRule &GLOBAL:MISSING_SECURE "@eq 0" "phase:3,t:none,nolog,pass,id:'981236',setvar:global.missing_secure=0" SecRule GLOBAL:MISSING_SECURE "@le 10" "chain,phase:3,id:'981185',t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag'" SecRule SERVER_PORT "@streq 443" "chain,t:none,setenv:secure_site" SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*secure.*)(.*$)" "capture,setvar:global.missing_secure=+1,expirevar:global.missing_secure=86400" # # [ Fix Missing "secure" Flag ] # Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!secure).)+)$" "$1; secure" env=secure_site ############################################################################## # -=[ HTTP Header Checks ]=- # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#header ############################################################################## # # [ Check that the cache-control HTTP header is set to 'no-store' ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store # SecRule &GLOBAL:CHECK_CACHE_CONTROL "@eq 0" "phase:5,t:none,nolog,pass,id:'981239',setvar:global.check_cache_control=0" SecRule GLOBAL:CHECK_CACHE_CONTROL "@le 10" "chain,phase:5,id:'900046',t:none,pass,log,auditlog,msg:'AppDefect: Cache-Control Response Header Missing \'no-store\' flag.',logdata:'Cache-Control: %{response_headers.cache-control}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store'" SecRule RESPONSE_HEADERS:Cache-Control "!@contains no-store" "t:none,t:lowercase,setvar:global.check_cache_control=+1,expirevar:global.check_cache_control=86400" # # [ Check that a Content-Type header is included in the HTTP response ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing # SecRule &GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@eq 0" "phase:5,t:none,nolog,pass,id:'981400',setvar:global.content_type_header_exists=0" SecRule GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@le 10" "chain,phase:5,id:'981401',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing or Empty.',logdata:'Content-Type: %{response_headers.content-type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing'" SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "t:none,setvar:global.content_type_header_exists=+1,expirevar:global.content_type_header_exists=86400" # # [ Check that IE's XSS protection filter is not being disabled by the Web-application ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled # SecRule &GLOBAL:X_XSS_PROTECTION_DISABLED "@eq 0" "phase:5,t:none,nolog,pass,id:'981402',setvar:global.x_xss_protection_disabled=0" SecRule GLOBAL:X_XSS_PROTECTION_DISABLED "@le 10" "chain,phase:5,id:'981403',t:none,pass,log,auditlog,msg:'AppDefect: IE8\'s XSS protection Filter is Disabled.',logdata:'X-XSS-Protection: %{response_headers.x-xss-protection}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled'" SecRule RESPONSE_HEADERS:X-XSS-Protection "@streq 0" "t:none,setvar:global.x_xss_protection_disabled=+1,expirevar:global.x_xss_protection_disabled=86400" # # [ Check that the X-FRAME-OPTIONS header is being set for Clickjacking defense ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options # SecRule &GLOBAL:X_FRAME_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981404',setvar:global.x_frame_options=0" SecRule GLOBAL:X_FRAME_OPTIONS "@le 10" "chain,phase:5,id:'981405',t:none,pass,log,auditlog,msg:'AppDefect: X-FRAME-OPTIONS Response Header is Missing or not set to Deny.',logdata:'X-FRAME-OPTIONS: %{response_headers.x-frame-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options'" SecRule &RESPONSE_HEADERS:X-FRAME-OPTIONS|RESPONSE_HEADERS:X-FRAME-OPTIONS "^(?i:0|allow)$" "t:none,setvar:global.x_frame_options=+1,expirevar:global.x_frame_options=86400" # # [ Checks that the X-CONTENT-TYPE-OPTIONS defense against MIME-sniffing has been declared ] # # - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options # SecRule &GLOBAL:X_CONTENT_TYPE_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981406',setvar:global.x_content_type_options=0" SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "chain,phase:5,id:'981407',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to \'nosniff\'.',logdata:'X-Content-Type-Options: %{response_headers.x-content-type-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options'" SecRule GLOBAL:X_CONTENT_TYPE_OPTIONS "@le 10" "chain" SecRule &RESPONSE_HEADERS:X-Content-Type-Options|RESPONSE_HEADERS:X-Content-Type-Options "^0$|^[a-z]+(?<!:nosniff)" "t:none,t:lowercase,setvar:global.x_content_type_options=+1,expirevar:global.x_content_type_options=86400" # XSS Detection - Missing Output Encoding # SecAction "phase:1,id:'900047',nolog,pass,initcol:global=xss_list" # # Identifies Reflected XSS # If malicious input (with Meta-Characters) is echoed back in the reply non-encoded. # SecRule &ARGS "@gt 0" "chain,phase:4,id:'900048',t:none,log,auditlog,deny,status:403,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'" SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none" SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}" SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E" # # Check to see if TX XSS Data is already in the GLOBAL list. If it is - expire it. SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,id:'981180',t:none,nolog,pass,skip:1" SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,id:'981181',t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}" # # Identifies Stored XSS # If malicious input (with Meta-Characters) is echoed back on any page non-encoded. SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,id:'981182',t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'"