Alexandre Duran Posted July 14, 2013 Share Posted July 14, 2013 Caros, alguém sabe como criar uma regra MOD_SECURE que bloqueie uma função java script eval(unescape( - impedindo de ser acessada/criada ? Link to comment Share on other sites More sharing options...
Fernando Rafs Posted July 14, 2013 Share Posted July 14, 2013 Alexandre, dá uma olhada nas regras abaixo, talvez possam lhe ajudar em algo # # Generic Malicious JS Detection # SecRule RESPONSE_BODY "(?i)(String\.fromCharCode\(.*?){4,}" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981004',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i)(eval\(.{0,15}unescape\()" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981005',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i)(var[^=]+=\s*unescape\s*;)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981006',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i:ఌఌ|邐邐|䅁䅁)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981007',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" Fonte: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_50_outbound.conf Observação: Se for útil, copie as regras através do link acima, porque ao ser postada as regras no Fórum alguns caracteres estão sendo transformados em outros pelo editor. Link to comment Share on other sites More sharing options...
Alexandre Duran Posted July 14, 2013 Author Share Posted July 14, 2013 Muito bom Guto era isso mesmo que precisava. Link to comment Share on other sites More sharing options...
Fernando Rafs Posted July 14, 2013 Share Posted July 14, 2013 Muito bom Guto era isso mesmo que precisava. ;) Link to comment Share on other sites More sharing options...
redirect Posted July 15, 2013 Share Posted July 15, 2013 Caros, alguém sabe como criar uma regra MOD_SECURE que bloqueie uma função java script eval(unescape( - impedindo de ser acessada/criada ? Qual é o perigo dessa função do javascript? Link to comment Share on other sites More sharing options...
Recommended Posts