How to block XSS Vulnerability (Cross-site scripting) in Apache 2.2.x

How to block XSS Vulnerability (Cross-site scripting) in Apache 2.2.x

May 19, 2011 – 7:43 pm

Periodically we need to block Cross Site Scripting potential security hole in your apache apache. Usually this not necessary, because web application usually control variables which getting from GET or POST requests and completely filtrate it. But sometimes, when we passing PCI Compliance we need to demonstrate our security to auditors.
At first we need to block processing of TRACE and TRACK requests to our Apache, I write in httpd.conf
someting like:

TraceEnable off

# Attn! module rewrite required
RewriteEngine on
RewriteRule .* - [F]

This will block proceeding this methods. We may to block OPTIONS also, but if you have HTTPS version of your site, this maybe not good idea.
So, next step, we need a respond 403 error, to all GET and POST requests which contains strings similar cross site scripting code. In Apache usually I use mod_security. I already had compiled mod_security version 1.x, and just pluged it to my apache, and setup filter. Something like follow code from httpd.conf

LoadModule security_module modules/
SecFilterEngine On
SecFilterForceByteRange 32 126
SecFilterScanPOST On
SecFilter "<( |\n)*script"

Then I checked configs of my apache and the restart it:

# /usr/local/apache/bin/apachectl configtest
Syntax OK
# /usr/local/apache/bin/apachectl restart

So, next step I test my site to XXS vulnerability and got “positive result” in my error_log:

[Thu May 19 13:09:12 2011] [error] [client] mod_security: Access denied with code 403. Pattern match "<( |\\\\n)*script" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "testshop.loc"] [uri "/cart_mod.html"] [unique_id "TdVOuGFKfJ8AAHoXBWYAAAAF"]


Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:


You are commenting using your account. Logout /  Ubah )

Foto Google+

You are commenting using your Google+ account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )


Connecting to %s

%d blogger menyukai ini: