OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.4

2. Access Control Flaws -> 2.4  Remote Admin Access

Lesson overview
The WebGoat lesson overview is included with the WebGoat lesson solution.

Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy
The solution is to prevent 'admin=true' from appearing in the query string.

Implementation
The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf'.

# Lesson 2.4: Remote Admin Access; don't allow 'admin=true' in the querystring SecRule &ARGS:admin "!@eq 0" "chain,log,auditlog,deny,\   msg:'Admin Function Attack',tag:'ADMIN_FUNCTION', \    redirect:/_error_pages_/lesson02-4.html" SecRule ARGS:admin "true" "t:lowercase"