OWASP ModSecurity Securing WebGoat Section4 Sublesson 17.3 17.4

17. Web Services

17.3 Web Service SAX Injection

17.4 Web Service SQL Injection

Lesson overviews
See [relative paths].

Lesson solutions
See [relative paths].

Strategy
Mitigating these 2 lessons is done with a whitelist, using pinpoint strategy.

Implementation
The lesson is mitigated by the ruleset and the solution is self-explanatory:



# 'menu=1800' SecRule ARGS:menu "!@eq 1800" "t:none,pass,skipAfter:170"

# The following rule is for lesson '17.4 WS SQL Injection'. # The regex is a whitelist only for this particular lesson and for #  the 'account number' parameter. The criteria is that only digits and no  #   spaces or special chars are allowed. Modify the regex if something like #  '-' is allowable. SecRule &ARGS_POST:SUBMIT "@eq 0" "nolog,skip:4" SecRule ARGS_POST:SUBMIT "!@streq Go!" "nolog,skip:3" SecRule &ARGS_POST:account_number "@eq 0" "nolog,skip:2" SecRule ARGS_POST:account_number "^([0-9]+)$" \ "t:urlDecodeUni,t:htmlEntityDecode,allow:request,skip:1" SecAction "deny,log,auditlog,msg:'WS SQL Injection', \    tag:'Returning from 17.4 WS SQL Injection (rulefile_17).', \     severity:'3',redirect:/_error_pages_/lesson17-4.html"

# The following rule is for lesson '17.3 SAX Injection'. # The regex is a whitelist only for this particular lesson and #  for the 'password' parameter. The criteria is that no spaces are allowed. SecRule &ARGS_POST:SUBMIT "@eq 0" "nolog,skip:4" SecRule ARGS_POST:SUBMIT "!@streq Go!" "nolog,skip:3" SecRule &ARGS_POST:password "@eq 0" "nolog,skip:2" SecRule ARGS_POST:password "[ ]" \ "t:urlDecodeUni,t:htmlEntityDecode,deny,log,auditlog, \    msg:'WS SAX Injection',tag:'WEB_ATTACK/SAX_INJECTION', \     severity:'3',redirect:/_error_pages_/lesson17-3.html" SecAction "allow:request,t:none,id:'170', \    msg:'Returning from 17.3 SAX Injection (rulefile_17).'"

SecAction "allow:request,t:none,msg:'Returning; nothing bad on this page (rulefile_17).'" 

Note that 'skipAfter' is used so the order of the rule groupings cannot be swapped.

For some reason, the project member had difficulty using 'chain' to chain rules together - in this lesson it simply was not working so the kludgey 'skip' actions were used instead; not elegant, but it works.