Testing WAF Redirect

[chrismcb]

I've enabled the new WAF redirect option - which will save me a LOT of hassle in the future (especially when the CAPTCHA option comes in).

My question, though, is how to test the redirect - or at least view the file that will be presented?

Can it also be customised with logos etc?

From the redirect line in the config:

https://%{server_name}:30000/blocked.php?eventid=%{unique_id}&ruleid=%{rule.id}&sourceip=%{remote_addr}

I tried visiting https://www.mydomain.com:30000/blocked.php, but get a 404.


Anyone got any advice? Can't find anything in the Wiki.

[chrismcb]

Digging further, there is no blocked.php at /var/asl/www - does this mean we should create our own blocked.php file?

I just assumed there would at least be a standard basic file there from the outset.

[scott]

We've got some basic stuff here, but really I'd recommend you write your own landing page. You can see the basic variables you can pass to your application in that URL now.

[chrismcb]

Thanks, I have done for now - but how, then, will the new features be implemented (like CAPTCHA and false-positive reporting)?

Can you recommend a fool-proof way of triggering the WAF to test it in action?

[mikeshinn]

Thanks, I have done for now - but how, then, will the new features be implemented (like CAPTCHA and false-positive reporting)?

We will be providing a "blocked.php" in the near future, which will include the previously mentioned logic (CAPTCHA, role delegation etc.)

Can you recommend a fool-proof way of triggering the WAF to test it in action?

If all your rules are enabled, and you do not have your IP address whitelisted, this is the standard test URL:

http://YOUR_HOST/foo.php?foo=http://www.example.com/abad_rfi.php

That will trigger rule 340162.

[chrismcb]

Thanks, works well.

Are there any other variables which can be passed to the query string?

Two which would be of use would be the time of trigger and URL they tried to visit - that way, users can copy/paste a mini-report directly to an admin to check it out.

[mikeshinn]

Are there any other variables which can be passed to the query string?

Yes, a lot in fact. We'll put together a list shortly.

[chrismcb]

Great... Excellent feature that I can't wait to get to its full potential.

[chrismcb]

Yes, a lot in fact. We'll put together a list shortly.

Hi Mike, did you ever get around to publishing this list? Or the self-unblocking CAPTCHA function?

[mikeshinn]

Thanks for the question. Current list of supported variables:

https://www.atomicorp.com/wiki/index.ph ... _Variables

And experimental variables are documented here:

https://www.atomicorp.com/wiki/index.ph ... _Variables

The landing page/captcha is still being worked on.

[srpurdy]

Cool

I have a question regarding this feature.

Figured best to put it in here instead of making a new topic. I hope

I noticed the blocked address uses port 30000 which is an https port. I'm wondering about this because not every domain will work as obivously I can't have mutiple different SSL Certs loading with different (server_names) so if I run a test attack on domain_1.com that shows in the address bar. Same if I attack domain_2.com

Is they're a solution for that? As most browsers would give a certificate warning. Although now that I type this out I guess I don't have to use the {server_name} variable.

Anyway I made a splash image too. (Yes I was bored)

403_error.jpg (94.36 KiB) Viewed 12359 times

[chrismcb]

I noticed the blocked address uses port 30000 which is an https port. I'm wondering about this because not every domain will work as obivously I can't have mutiple different SSL Certs loading with different (server_names) so if I run a test attack on domain_1.com that shows in the address bar. Same if I attack domain_2.com

Having the same issue - I have just hard-coded a domain in to redirect the attacker to which I know has a valid SSL certificate.

A non-ssl alternative per domain would be best though.

[mikeshinn]

You can change the redirect to anything you like. You do not have to use https or port 30000, thats just an example.

Example:

WAF_REDIRECT_URL="http://%{server_name}/blocked.html"

[root@asl-modsec-test ~]# wget http://localhost/bar.php?bar=http://www ... .com/snarg
--2012-09-05 16:55:14-- http://localhost/bar.php?bar=http://www ... .com/snarg
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://localhost/blocked.html [following]
--2012-09-05 16:55:14-- http://localhost/blocked.html
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65 [text/html]
Saving to: `blocked.html'

100%[======================================>] 65 --.-K/s in 0s

2012-09-05 16:55:14 (3.86 MB/s) - `blocked.html' saved [65/65]

BTW, love the graphic.

[srpurdy]

You can change the redirect to anything you like. You do not have to use https or port 30000, thats just an example.

Example:

WAF_REDIRECT_URL="http://%{server_name}/blocked.html"

[root@asl-modsec-test ~]# wget http://localhost/bar.php?bar=http://www ... .com/snarg
--2012-09-05 16:55:14-- http://localhost/bar.php?bar=http://www ... .com/snarg
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://localhost/blocked.html [following]
--2012-09-05 16:55:14-- http://localhost/blocked.html
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65 [text/html]
Saving to: `blocked.html'

100%[======================================>] 65 --.-K/s in 0s

2012-09-05 16:55:14 (3.86 MB/s) - `blocked.html' saved [65/65]

BTW, love the graphic.

Doh! I thought for some reason the information variables tied into ASL somehow but guess not. Works great now thanks.

Although I'm really displaying much just the ip address for now.

Also attached a basic template anyone wants to use it. included twitter bootstrap, and responsive css.

blocked_bootstrap.zip

(97.07 KiB) Downloaded 379 times

[mikeshinn]

No worries, glad I could help.

The idea behind the port 30000 and https was to redirect to a port/listener that maybe was always open, so even if you shunned the badguy they would still get the page explaining why.