martinhsv
commented
2 years ago Closing due to no further activity
Closed michel-el-hajj closed 2 years ago
martinhsv
commented
2 years ago Closing due to no further activity
Hello @michel-el-hajj ,
CSRF is a more difficult type of attack to identify for WAFs generally. There isn't a simple setting that can be turned on to identify all such attacks, because legitimate requests can look the same as malicious ones.
As a narrow subset of problems: 1) if you know that a web application is vulnerable to CSRF specifically because it has a bug where it expects a nonce but does not verify that it is valid if it is of zero length, you can test for that easily with a ModSecurity rule 2) if you have a similar situation to the previous item, but where the CSRF check can be bypassed if the nonce is not present at all -- this can similarly be tested for
More broadly:
coreruleset used to have rules that worked with apache and ModSecurity v2.9.x to rewrite responses to insert a nonce into forms. Later POSTs of such completed forms could be checked by ModSecurity for a nonce match.
I don't see those rules in CRS3. This could be for several reasons, including:
(Consider inquiring with the coreruleset group if you want more detail on their thinking behind the above.)
It is probably possible to pursue a comparable nonce-based strategy with nginx and ModSecurity v3, although I have never done so. It would likely require nginx configuration to do the requisite response rewriting and coordinating knowledge of the nonce with ModSecurity. Even if successful, this would suffer from the same limitations as the 2nd and 3rd bullet points in the previous paragraph.
Turning to non-nonce strategies, your best bet may be to see if header checks would work for your situation. See the description here: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers