[Modsecurity] iframe filtering rules
Ryan Barnett
rcbarnett at gmail.com
Sat Sep 8 12:55:49 EDT 2007
I would recommend mod_publisher - http://apache.webthing.com/mod_publisher/
It is more efficient performance-wise vs. using mod_ext_filter to spawn
command line sed for each outbound response. It is also more accurate for
updating html.
I actually described using mod_ext_filters and sed to remove html comments,
etc... in my book "Preventing Web Attacks with Apache." I wanted to present
this concept to users to show how to use them for security, however there
can be some severe performance problems if you attempt to use it in
production. There is a great article here that compares mod_ext_filter,
mod_line_edit and mod_publisher for these types of security purposes -
http://www.apachetutor.org/security/information-leak.
One question for Michael - why just silently remove the malicious iframe?
Wouldn't it be better to implement these RegExs into ModSecurity rules that
monitor outbound traffic and then block and alert in such situations?
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 9/8/07, Michael Shinn <mike at gotroot.com> wrote:
>
> Steve West wrote:
> > Hi Michael,
> >
> > Thank you for the great tool! We've had a few customers web sites have
> > their web pages altered by hackers to add iframe tags, etc. The
> > customers gave out their ftp credentials to the wrong ppl so we can't
> > always protect against that. But I do have a few questions:
> >
> > 1. Is there any tool we can use if we are running apache 1.3.x?
>
> I'll look into. I'm not positive if apache 1.x supports external
> filters. If it does, then it should be easy enough to put this together
> for 1.3.x too. A quick look doesn't seem to show mod_ext_filter is
> supported in 1.3.x, so I'll have to look for other options.
>
> > 2. You should also add some filtering for obfuscated javascript which
> > I'm seeing some recent hacks employ to get around security
> > countermeasures on the server side.
>
> Thanks for the suggestion. I'll see what I can put together for that
> too. If you have some examples, please send them my way I'll see what I
> can put together this weekend.
>
> And for anyone wondering where the big update is, I'm almost finished
> with it finally. I'm just debugging a final problem with phase 2
> transforms, which was stopping chained rules from working entirely. So
> many rules, so many dependencies...
>
> > thx,
> >
> > SW
> >
> >
> > Michael Shinn wrote:
> >> I put together a method for filtering out bad iframes from websites.
> >> Output filtering, for websites that become infected. You can read on
> >> for the details here:
> >>
> >> http://www.gotroot.com/tiki-read_article.php?articleId=278
> >>
> >> Rules update is in testing now, will be putting out a major overhaul
> >> this week. The major performance improvements will require modsec 2.5.
> >>
> >>
> >
>
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070908/bebe0646/attachment.html
More information about the Modsecurity
mailing list