OWASP ModSecurity Securing WebGoat Section4 Sublesson 10.1

10. Improper Error Handling

10.1 Fail Open Authentication Scheme

Lesson overview
See [relative path].

Lesson solution
See [relative path].

Strategy
This lessons demonstrates a fail open vulnerability in that when the 'Password' parameter in the POST body is removed entirely, the user is authenticated. To mitigate this, a straightforward pinpoint strategy was used.

Implementation
The lesson is mitigated by the ruleset 'rulefile_10_improper-error-handling.conf':

SecRule ARGS:menu "!@eq 1100" "t:none,pass,skip:2" SecRule &ARGS:Password "@eq 0" "t:none,deny,severity:3, \    msg:'Post parameter Password is mandatory, but it is not present in request.', \     tag:'AUTHENTICATION',redirect:/_error_pages_/lesson10-1.html" SecAction "allow:request,t:none, \    msg:'Returning; nothing bad on this page (rulefile_10-1).'"

Note that it is perfectly acceptable - and probably preferable - to use '&ARGS_POST:Password' instead of '&ARGS:Password'.