# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.0.5 # Copyright (C) 2006-2010 Breach Security Inc. All rights reserved. # # The ModSecurity Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # The rules in this file are considered experimental/beta rules. They attempt to address # some advanced attacks, use some new ModSecurity features or new rules language techniques. # # # HTTP Parameter Pollution (HPP) # # One HPP attack vector is to try evade signature filters by distributing the attack payload # across multiple parameters with the same name. This works as many security devices only # apply signatures to individual parameter payloads, however the back-end web application # may (in the case of ASP.NET) consolidate all of the payloads into one thus making the # attack payload active. # # -=[ Rules Logic }=- # The ruleset below is not looking for attacks directly, but rather is a crude normalization # function that mimics ASP.NET with regards to joining the payloads of parameters with the # same name. These rules will create a new TX:HPP_DATA variable that will hold this data. # If you have enabled PARANOID_MODE, then this variable data will also be searched against # attack filters. # # -=[ References ]=- # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html # SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'960022',rev:'2.0.5',setvar:tx.%{matched_var_name}=+1" SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none" SecRule MATCHED_VAR_NAME "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}" SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'" SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}" SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'"