Closed ghost closed 1 year ago
Hi @shubhagarwal14 ,
Could you please describe more fully what you are suggesting?
Thanks for the reply @martinhsv.
Please refer to the following link for better understanding: https://campus.barracuda.com/product/webapplicationfirewall/doc/41102492/how-to-configure-url-encryption-rule/
Hi @shubhagarwal14,
Ok, I understand what you're talking about. In brief, under this suggestion, ModSecurity would:
Another technique to accomplish the same thing is to include hashes that can be used to detect modification of what is expected to be non-manipulated data.
I'll first note that that sort of functionality is quite intrusive, and, for several reasons, might not be best suited to a web application firewall, where the primary mission is to detect suspicious content, report it and and optionally disrupt. Some things might be best accomplished by the base server technology or other network proxies. Anti-CSRF tokens are in a loosely similar category, and those are typically handled by the web server or the application itself, rather than by a WAF.
Indeed, I believe nginx already has an option to do allow hash-based protection of url modification. (Apache may have some comparable functionality, but I'm not able to identify it just now.)
Nevertheless, if we were to consider it as a possibility at the WAF level: one immediate issue is that libModSecurity (v3) doesn't really have generalized functionality to rewrite request and response content.
ModSecurity v2 with Apache does have extensive rewrite capability, so support for your suggestion could probably be included there. But, for that matter, if you are interested in such functionality for ModSecurity v2, it's probably do-able right now, through a combination of a modest lua script and a few additional rules. If you're interested, that's something you consider trying out yourself. [Update: If you have access to the book 'The Web Application Defender's Cookbook' there is a suggested hash mechanism in 'Recipe 1-2' that you could try out if you are interested.]
In sum, although an interesting idea, I think this is something that the ModSecurity project is probably unlikely to pursue as a separate project. I will, however, leave the item open temporarily to allow any other interested members of the community to comment, or if you want to try the suggestion from the previous paragraph, etc.
Proceeding to close this for the reasons stated.
I want a new feature that enables users to encrypt the URLs and prevent malicious users from forceful browsing. It should ensure that the internal directory structure of the web application is not revealed to the users. When URL encryption is enabled for a Service, based on the URL specified in the URL Match field, all the response pages from that Service should have the encrypted URLs in the links.