[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Tokens?
From: Christian Martorella <cmartorella () isecauditors ! com>
Date: 2005-05-03 11:16:27
Message-ID: 42775D8B.7020409 () isecauditors ! com
[Download RAW message or body]
Ivan Ristic wrote:
> Christian Martorella wrote:
>
>> Hi, i was looking others Application firewalls and i saw that some of
>> them use tokens to sign forms or variables with a hash.
>
>
> Can you be more specific? What are they signing? The hidden fields,
> the names of the fields?
>
>
What you sign with a hash is the values of the hidden fields, or the
values of the URL parameters.
For example if you have
<input name="year" type="hidden"
value="1984?MSEC=OurhashOurhashOurHash">
So if someone change 1984 to 1982, when you recalculate the hash for
year it will be different and you deny the request.
I know this would bring more performance issues, but it will be good for
Parameter Tampering, Cookie Tampering, and all tampering that could be done.
>> There are plans to implement this on Mod_Security? or there is
>> someone already working on it?
>
>
> No. I am not convinced such feature would have significant value in
> real life. I can see how it can help in a specific case (e.g. when
> someone has an app with a hidden field that should never change). But
> I do not think it can work as a generic protection measure people can
> turn on and forget about it. In this day and age many applications are
> creating forms dynamically at runtime, and using JavaScript to change
> the values in the hidden fields.
>
Maybe you are right, but what about cookies? or session Ids? or url
parameters that if you change a value you will be take to a private zone
for example..? My examples are for badly designed applications
that a company couldnt secure.
I just was seeing what other Application Firewalls were doing, and i
found this functionality.
Cheers!
--
_________________________________
Christian Martorella
e-Security Engineer
cmartorella@isecauditors.com
Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2º 1ª.
08030 Barcelona
Tel: 93 305 13 18
Fax: 93 278 22 48
www.isecauditors.com
____________________________________
Este mensaje y los documentos que, en su caso lleve anexos, pueden
contener información confidencial. Por ello, se informa a quien lo
reciba por error que la información contenida en el mismo es reservada
y su uso no autorizado está prohibido legalmente, por lo que en tal
caso le rogamos que nos lo comunique por la misma vía o por teléfono
(93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo
o entregarlo a otra persona y proceda a borrarlo de inmediato.
En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre de
protección de datos de carácter personal, Internet Security Auditors
S.L., le informa de que sus datos personales se han incluido en
ficheros informatizados titularidad de Internet Security Auditors
S.L., que será el único destinatario de dichos datos, y cuya finalidad
exclusiva es la gestión de clientes y acciones de comunicación
comercial, y de que tiene la posibilidad de ejercer los derechos de
acceso, rectificación, cancelación y oposición previstos en la ley
mediante carta dirigida a Internet Security Auditors, c. Santander,
101. Edif. A. 2º 1ª, 08030 Barcelona, o vía e-mail a la siguiente
dirección de correo: legal@isecauditors.com
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic