D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
opt
/
bitninja-waf
/
etc
/
crs
/
rules
/
Filename :
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
back
Copy
# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.0.2 # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:943011,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:943012,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) # # # Session fixation # # -=[ References ]=- # http://projects.webappsec.org/Session-Fixation # http://projects.webappsec.org/w/page/13246960/Session%20Fixation # http://capec.mitre.org/data/definitions/61.html # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ "msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ severity:'CRITICAL',\ t:none,t:urlDecodeUni,\ capture,\ ctl:auditLogParts=+E,\ block,\ id:943100,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-fixation',\ tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ "msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'2',\ accuracy:'7',\ id:943110,\ t:none,t:urlDecodeUni,t:lowercase,\ capture,\ ctl:auditLogParts=+E,\ block,\ severity:'CRITICAL',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-fixation',\ tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ chain" SecRule REQUEST_HEADERS:Referer "^(?:ht|f)tps?://(.*?)\/" \ "capture,\ chain" SecRule TX:1 "!@endsWith %{request_headers.host}" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ "msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'2',\ accuracy:'7',\ id:943120,\ t:none,t:urlDecodeUni,t:lowercase,\ capture,\ ctl:auditLogParts=+E,\ severity:'CRITICAL',\ block,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-fixation',\ tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ chain" SecRule &REQUEST_HEADERS:Referer "@eq 0" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:943013,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:943014,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) # SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:943015,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:943016,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) # SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:943017,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:943018,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"