vim xss_detect.lua
关键函数解释:local string_find = string.find
local m_getvars = m.getvars
local m_log = m.log
function main()
--Retrieve all parameters
local get_vars = m_getvars("ARGS_GET",{"lowercase","htmlEntityDecode"});
--Examine all variables
for _,v in pairs(get_vars) do
if(string_find(v.value,"<script")) then
--log something
m_log(4,"Just a TEST, I'm hungry, but it is 4:33 p.m ")
return("Suspected XSS in variable: " .. v.name .. ".")
end
end
-- Nothing wrong found.
return nil
end
vim /etc/modsecurity/modsecurity.conf
m.log的输出会存放在/var/log/apache2/modsec_debug.log下,记得SecDebugLogLevel开启4及4以上就能看到调试内容SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 4
1:错误
2:警告
3:注意事项
4:如何交易的细节处理
6:记录所有
vim /usr/share/modsecurity-crs/activated_rules/MY.conf
请自行替换脚本存放路径SecRuleScript /home/tanjiti/lua_script_modsecurity/xss_detect.lua " deny,msg:'suspected xss detect',id:1000001,phase:2,prepend:'suspected xss found. <script>window.location=\"/\";</script>'"
vim /etc/modsecurity/modsecurity.conf
#enable prepend append action
SecContentInjection On
service apache2 reload
service apache2 reload
发包工具有很多,curl,wget./HTTP.pl -url 'http://localhost:8080/xss.php?name=<script>alert(1);</script>'
vim /var/log/apache2/modsec_audit.log
黄线部分 就是lua脚本if逻辑中的return语句
我们察看modsecurity debug日志
vim /var/log/apache2/modsec_debug.log
四、Lua脚本调试
SecRuleScript /root/lua_script_modsecurity/log2File.lua
more /tmp/modsec_wafLog.log (默认路径)
(附:HTTP的使用见 HTTP发包工具 -HTTPie)http localhost/a/b/xss.php file1@HTTP.pl file2@HTTPFromFile.pl submit=submit get_a="<sc" get_b="im>" -f -v
补充Modsecurity案例:按IP地址进行封禁
第一步:开启Geo查找功能
vim /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf
增加(或者去掉原本注释)
SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat
GeoIP库的安装见使用免费的本地IP地理库来定位IP地理位置-GeoIP lookup
第二步:添加ModSecurity规则,按IP归属地国家的白名单进行封禁操作
vim /usr/share/modsecurity-crs/activated_rules/MY.conf
SecRule REMOTE_ADDR "@geoLookup" "chain,id:0000006,phase:1,drop,msg:'Non-allowed IP address'"
SecRule &GEO "ge 0" "chain"
SecRule GEO:COUNTRY_CODE "!@pm US CN JP"