How to block XSS Vulnerability (Cross-site scripting) in Apache 2.2.x

How to block XSS Vulnerability (Cross-site scripting) in Apache 2.2.x

May 19, 2011 – 7:43 pm
inShare

Periodically we need to block Cross Site Scripting potential security hole in your apache apache. Usually this not necessary, because web application usually control variables which getting from GET or POST requests and completely filtrate it. But sometimes, when we passing PCI Compliance we need to demonstrate our security to auditors.
At first we need to block processing of TRACE and TRACK requests to our Apache, I write in httpd.conf
someting like:

TraceEnable off

# Attn! module rewrite required
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

This will block proceeding this methods. We may to block OPTIONS also, but if you have HTTPS version of your site, this maybe not good idea.
So, next step, we need a respond 403 error, to all GET and POST requests which contains strings similar cross site scripting code. In Apache usually I use mod_security. I already had compiled mod_security version 1.x, and just pluged it to my apache, and setup filter. Something like follow code from httpd.conf

LoadModule security_module modules/mod_security.so
SecFilterEngine On
SecFilterForceByteRange 32 126
SecFilterScanPOST On
SecFilter "<( |\n)*script"

Then I checked configs of my apache and the restart it:

# /usr/local/apache/bin/apachectl configtest
Syntax OK
# /usr/local/apache/bin/apachectl restart
#

So, next step I test my site to XXS vulnerability and got “positive result” in my error_log:

[Thu May 19 13:09:12 2011] [error] [client 10.100.100.120] mod_security: Access denied with code 403. Pattern match "<( |\\\\n)*script" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "testshop.loc"] [uri "/cart_mod.html"] [unique_id "TdVOuGFKfJ8AAHoXBWYAAAAF"]

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: