Regra Mod_Secure

[Alexandre Duran]

Caros, alguém sabe como criar uma regra MOD_SECURE que bloqueie uma função java script eval(unescape( - impedindo de ser acessada/criada ?

[Fernando Rafs]

Alexandre, dá uma olhada nas regras abaixo, talvez possam lhe ajudar em algo

#
# Generic Malicious JS Detection
#
SecRule RESPONSE_BODY "(?i)(String\.fromCharCode\(.*?){4,}" \
                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981004',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "(?i)(eval\(.{0,15}unescape\()" \
                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981005',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "(?i)(var[^=]+=\s*unescape\s*;)" \
                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981006',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "(?i:ఌఌ|邐邐|䅁䅁)" \
                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981007',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"

Fonte: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_50_outbound.conf

 

Observação: Se for útil, copie as regras através do link acima, porque ao ser postada as regras no Fórum alguns caracteres estão sendo transformados em outros pelo editor.

[Alexandre Duran]

Muito bom Guto era isso mesmo que  precisava.

[Fernando Rafs]

Muito bom Guto era isso mesmo que  precisava.

 

;)

[redirect]

Caros, alguém sabe como criar uma regra MOD_SECURE que bloqueie uma função java script eval(unescape( - impedindo de ser acessada/criada ?

Qual é o perigo dessa função do javascript?