OWASP ModSecurity Securing WebGoat Section4 Sublesson 15.3

15. Parameter Tampering -> 15.3 Bypass Client Side JavaScript Validation

Lesson overview
The WebGoat lesson overview is included with the WebGoat lesson solution.

Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy
This WebGoat lesson demonstrates bypassing client-side validation using a web browser plugin such as IEWatch for IE or Firebug for Firefox. There are 7 different validation types and any field that does not meet the requirements will return an error message.

Often in real word implementations, the RegExs in the HTML source code are taken and re-implemented within ModSecurity so that validation is properly enforced and cannot be bypassed.

The ModSecurity solution will be to copy the RegExs from the HTML source and use them in ModSecurity rules.

Implementation
A sample POST URI and parameters are (the 2nd entry should be on one line): POST http://192.168.0.5/WebGoat/attack?Screen=31&menu=1600

field1=abc&field2=123&field3=abc+123+ABC&field4=seven&field5=90210& field6=90210-1111&field7=301-604-4882

The 'rulefile_15-3_bypass-client-side-validation.conf' is: # exactly three lowercase characters SecRule &ARGS_POST:field1 "@eq 0" "nolog,skipAfter:1530" SecRule ARGS_POST:field1 "!^[a-z]{3}$" \ "phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \ 15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \ invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" # exactly three digits SecRule &ARGS_POST:field2 "@eq 0" "nolog,skipAfter:1530" SecRule ARGS_POST:field2 "!^[0-9]{3}$" \ "phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \ 15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \ invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" # letters, numbers, and space only SecRule &ARGS_POST:field3 "@eq 0" "nolog,skipAfter:1530" SecRule ARGS_POST:field3 "!^[a-zA-Z0-9 ]*$" \ "phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \ 15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \ invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" # enumeration of numbers SecRule &ARGS_POST:field4 "@eq 0" "nolog,skipAfter:1530" SecRule ARGS_POST:field4 "!^(one|two|three|four|five|six|seven|eight|nine)$" \ "phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \ 15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \ invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" # simple zip code SecRule &ARGS_POST:field5 "@eq 0" "nolog,skipAfter:1530" SecRule ARGS_POST:field5 "!^\d{5}$" \ "phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \ 15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \ invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" # zip with optional dash four SecRule &ARGS_POST:field6 "@eq 0" "nolog,skipAfter:1530" SecRule ARGS_POST:field6 "!^\d{5}(-\d{4})?$" \ "phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \ 15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \ invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" # US phone number with or without dashes SecRule &ARGS_POST:field7 "@eq 0" "nolog,skipAfter:1530" SecRule ARGS_POST:field7 "!^[2-9]\d{2}-?\d{3}-?\d{4}$" \ "phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \ 15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \ invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" SecAction "t:none,nolog,id:'1530'"

Comments

 * This solution takes the RegExs used for client-side validation and incorporates them in ModSecurity rules.