Skip to content

SecContentInjection is not yet supported #1883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dvyas opened this issue Aug 30, 2018 · 7 comments
Closed

SecContentInjection is not yet supported #1883

dvyas opened this issue Aug 30, 2018 · 7 comments
Assignees
@victorhora
Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity RIP - Type - Usage Related with usage (not a bug)

Comments

@dvyas
Copy link

dvyas commented Aug 30, 2018

I am getting below error when using ContentInjection rule vi /etc/nginx/nginx.conf nginx -s reload 10:26:25 [notice] 118#118: ModSecurity-nginx v1.0.0 10:26:25 [emerg] 118#118: "modsecurity_rules" directive Rules error. File: <>. Line: 1. Column: 16. SecContentInjection is not yet supported. in /etc/nginx/nginx

rg] "modsecurity_rules" directive Rules error. File: <>. Line: 1. Column: 16. SecContentInjection is not yet supported. in /etc/nginx/nginx.conf:66
@victorhora victorhora self-assigned this Aug 30, 2018
@victorhora victorhora added RIP - libmodsecurity 3.x Related to ModSecurity version 3.x RIP - Type - Usage Related with usage (not a bug) labels Aug 30, 2018
@victorhora
Copy link
Contributor

Yes. As stated by the error message and the reference manual, SecContentInjection is not supported in libModSecurity.

@dvyas
Copy link
Author

dvyas commented Aug 30, 2018

Thanks, What are the rules setup for preventing CSRF in libmodsecurity

@victorhora victorhora mentioned this issue Aug 30, 2018
Closed
@victorhora
Copy link
Contributor

@dvyas, You could try virtual patching the vulnerable parameters.

@dvyas
Copy link
Author

dvyas commented Aug 31, 2018

@victorhora can you give me one example...I am newbie to modsecurity...is there any rules file for virtual patching

@dvyas
Copy link
Author

dvyas commented Aug 31, 2018

How can I add a CSRF token like in modsecurity v2 it is SecContentinjection and then use append to ad token to desired forms

@victorhora
Copy link
Contributor

You can't append content with SecContentInjection as of now with libModSecurity. This functionality is not planned to be implemented. See #1001 (comment).

This functionality was experimental in v2 and due to performance reasons and also due to the functionality also being too tied to the connector rather than the library it's currently deprecated.

I recommend that you follow OWASP guidelines on implementing CSRF protection:

https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
https://www.owasp.org/index.php/CSRFProtector_Project
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

@meigea
Copy link

meigea commented Apr 30, 2019

@victorhora Is there other setting to replace SecContentInjection that can produced token with every phaser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorhora victorhora

Labels
3.x Related to ModSecurity version 3.x RIP - libmodsecurity RIP - Type - Usage Related with usage (not a bug)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dvyas @victorhora @meigea