0

Since Railo/Resin does not allow session cookies to be httpOnly I've been trying to catch them with mod-security 2.7. Normally this would be done in phase:3 I can't seem to process any rules on phase:3 or 4 for that matter...

A simple rule like this:

SecRule RESPONSE_HEADERS:Set-Cookie ".+" "id:1005,log,phase:3,msg:%{matched_var}"

Logs this when visiting my rootPage:

[/][4] Initialising transaction (txid UDORCgoUBWsAADDIBB4AAAA-).
[/][4] Transaction context created (dcfg 324de8).
[/][4] First phase starting (dcfg 324de8).
[/][4] Starting phase REQUEST_HEADERS.
[/][9] This phase consists of 0 rule(s).
[/][4] Second phase starting (dcfg 324de8).
[/][4] Input filter: This request does not have a body.
[/][4] Starting phase REQUEST_BODY.
[/][9] This phase consists of 0 rule(s).
[/][4] Hook insert_filter: Adding output filter (r 15b6110).
[/][4] Initialising logging.
[/index.cfm][4] Starting phase LOGGING.
[/index.cfm][9] This phase consists of 0 rule(s).
[/index.cfm][4] Recording persistent data took 0 microseconds.
[/index.cfm][4] Audit log: Not configured to run for this request.

When visiting a static image though, phase 3 and 4 get processed normally:

[/image.png][4] Initialising transaction (txid UDORMgoUBWsAADDIBB8AAAA-).
[/image.png][4] Transaction context created (dcfg 324de8).
[/image.png][4] Hook insert_error_filter: Adding output filter (r 15ba120).
[/image.png][9] Output filter: Receiving output (f 15bba50, r 15ba120).
[/image.png][4] Starting phase RESPONSE_HEADERS.
[/image.png][9] This phase consists of 1 rule(s).
[/image.png][4] Recipe: Invoking rule 347328; [file "C:/Apache/conf/httpd.conf"] [line "525"] [id "1005"].
[/image.png][5] Rule 347328: SecRule "RESPONSE_HEADERS:Set-Cookie" "@rx .+" "phase:3,auditlog,pass,id:1005,log,msg:%{matched_var}"
[/image.png][4] Rule returned 0.
[/image.png][9] No match, not chained -> mode NEXT_RULE.
[/image.png][4] Output filter: Response body buffering is not enabled.
[/image.png][9] Content Injection: Not enabled.
[/image.png][4] Output filter: Completed receiving response body (non-buffering).
[/image.png][4] Starting phase RESPONSE_BODY.
[/image.png][9] This phase consists of 0 rule(s).
[/image.png][4] Output filter: Output forwarding complete.
[/image.png][9] Output filter: Sending input brigade directly.
[/image.png][4] Initialising logging.
[/image.png][4] Starting phase LOGGING.
[/image.png][9] This phase consists of 0 rule(s).
[/image.png][4] Recording persistent data took 0 microseconds.
[/image.png][4] Audit log: Not configured to run for this request.

I'm using mod_caucho to connect Apache to Resin

red-X
  • 5,108
  • 1
  • 25
  • 38

1 Answers1

0

From your log, it's executed.

[/image.png][4] Recipe: Invoking rule 347328; [file "C:/Apache/conf/httpd.conf"] [line "525"] [id "1005"]. [/image.png][5] Rule 347328: SecRule "RESPONSE_HEADERS:Set-Cookie" "@rx .+" "phase:3,auditlog,pass,id:1005,log,msg:%{matched_var}" [/image.png][4] Rule returned 0. [/image.png][9] No match, not chained -> mode NEXT_RULE.

And you has a mistake,ussilly ,when you request a static resouce ,the server won't response a Set-Cookie head,only you request a dynamic resource, it woutld have a Set-Cookie head.

In your case, you request a image.You can request a dynamic file,like website/inpde.php?uaer=admin,then you'll see it match Set-Cookie

Wei
  • 86
  • 1
  • 3