1 <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Miscellaneous Topics</title><link href="modsecurity-reference.css" rel="stylesheet" type="text/css"><meta content="DocBook XSL Stylesheets V1.69.1" name="generator"><link rel="start" href="index.html" title="ModSecurity® Reference
2 Manual"><link rel="up" href="index.html" title="ModSecurity® Reference
3 Manual"><link rel="prev" href="ar01s11.html" title="Persistant Storage"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div style="background:#F5F5F5;width:100%;border-top:1px solid #DDDDDD;border-bottom:1px solid #DDDDDD"><table width="100%" cellspacing="0" cellpadding="0"><tr><td><a href="http://www.modsecurity.org"><img style="margin:4px" src="modsecurity.gif" width="120" height="36" alt="ModSecurity" border="0"></a></td><td align="right"><a href="http://www.breach.com"><img style="margin:6px" src="breach-logo-small.gif" height="36" width="100" border="0"></a></td></tr></table></div><div id="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Miscellaneous Topics</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="ar01s11.html">Prev</a> </td><td align="center" width="60%"> <a accesskey="h" href="index.html">Home</a></td><td align="right" width="20%"> </td></tr></table><hr size="1"></div><div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="N11E63"></a>Miscellaneous Topics</h2></div></div><div></div></div><p></p><div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="N11E67"></a>Impedance Mismatch</h3></div></div><div></div></div><p>Web application firewalls have a difficult job trying to make
4 sense of data that passes by, without any knowledge of the application
5 and its business logic. The protection they provide comes from having an
6 independent layer of security on the outside. Because data validation is
7 done twice, security can be increased without having to touch the
8 application. In some cases, however, the fact that everything is done
9 twice brings problems. Problems can arise in the areas where the
10 communication protocols are not well specified, or where either the
11 device or the application do things that are not in the specification.
12 In such cases it may be possible to design payload that will be
13 interpreted in one way by one device and in another by the other device.
14 This problem is better known as Impedance Mismatch. It can be exploited
15 to evade the security devices.</p><p>While we will continue to enhance ModSecurity to deal with various
16 evasion techniques the problem can only be minimized, but never solved.
17 With so many different application backend chances are some will always
18 do something completely unexpected. The only solution is to be aware of
19 the technologies in the backend when writing rules, adapting the rules
20 to remove the mismatch. See the next section for some examples.</p><div class="section" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="N11E6E"></a>PHP Peculiarities for ModSecurity Users</h4></div></div><div></div></div><p>When writing rules to protect PHP applications you need to pay
21 attention to the following facts:</p><div class="orderedlist"><ol type="1"><li><p>When "register_globals" is set to "On" request parameters
22 are automatically converted to script variables. In some PHP
23 versions it is even possible to override the $GLOBALS
24 array.</p></li><li><p>Whitespace at the beginning of parameter names is ignored.
25 (This is very dangerous if you are writing rules to target
26 specific named variables.)</p></li><li><p>The remaining whitespace (in parameter names) is converted
27 to underscores. The same applies to dots and to a "[" if the
28 variable name does not contain a matching closing bracket.
29 (Meaning that if you want to exploit a script through a variable
30 that contains an underscore in the name you can send a parameter
31 with a whitespace or a dot instead.)</p></li><li><p>Cookies can be treated as request parameters.</p></li><li><p>The discussion about variable names applies equally to the
32 cookie names.</p></li><li><p>The order in which parameters are taken from the request and
33 the environment is EGPCS (environment, GET, POST, Cookies,
34 built-in variables). This means that a POST parameter will
35 overwrite the parameters transported on the request line (in
36 QUERY_STRING).</p></li><li><p>When "magic_quotes_gpc" is set to "On" PHP will use
37 backslash to escape the following characters: single quote, double
38 quote, backslash, and the nul byte.</p></li><li><p>If "magic_quotes_sybase" is set to "On" only the single
39 quote will be escaped using another single quote. In this case the
40 "magic_quotes_gpc" setting becomes irrelevant. The
41 "magic_quotes_sybase" setting completely overrides the
42 "magic_quotes_gpc" behaviour but "magic_quotes_gpc" still must be
43 set to "On" for the Sybase-specific quoting to be work.</p></li><li><p>PHP will also automatically create nested arrays for you.
44 For example "p[x][y]=1" results in a total of three
45 variables.</p></li></ol></div></div></div></div><div id="navfooter"><hr size="1"><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="ar01s11.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> </td></tr><tr><td valign="top" align="left" width="40%">Persistant Storage </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td valign="top" align="right" width="40%"> </td></tr></table></div><div align="center" class="copyright">Copyright (C) 2004-2009 <a href="http://www.breach.com">Breach Security</a></div></body></html>