1

Consider the following redirect SecRule which is activated from a Lua script

SecRule &TX:SQLI "@eq 1" "id:'129793',phase:2,t:none,redirect:http://www.example.com/failed.html,msg:'SQLi Injection Payload Found',setvar:REQUEST_HEADERS:Blocked"

When the variable tx.sqli is given a value the rule is activated. The redirection is successful, but the rule attempts to create a new "Blocked" request header. However, the creation is unsuccessful.

The log in the debugger outputs the following:

Could not set variable "REQUEST_HEADERS.Blocked" as the collection does not exist.

This is obviously incorrect. How does Modsecurity create new request header?

Futh
  • 17
  • 5

1 Answers1

1

In ModSecurity most of the standard collections (including REQUEST_HEADERS) are read only. You would therefore set a variable not a REQUEST_HEADER.

It doesn't usually make sense to set a REQUEST_HEADER. A RESPONSE_HEADER I can see more use for but its similarly read-only and to alter that you need to use the standard mod_headers module:

#Use ModSecurity to set an env variable
SecRule &TX:SQLI "@eq 1" "id:'129793',phase:2,set-env:BLOCK_RESPONSE"

#Use mod_header to set Header based on that env variable
Header set Blocked "True" env=BLOCK_RESPONSE

Though honestly not sure how or if that would work with a redirect as a ModSecurity action or whether that happens immediately.

Barry Pollard
  • 4,461
  • 14
  • 26
  • What you're saying makes a lot of sense, thank you. I store the details of the log file, including the request headers. I just wanted to store the fact that something had been blocked; hence creating the additional request header. I will use this `mod_header` function; I saw it referenced elsewhere. I guess that this is not inserted into the ModSecurity config file, but somewhere in Apache. – Futh Aug 10 '16 at 22:20
  • You could try the same thing I gave but instead of "Header set" use "RequestHeader set" – Barry Pollard Aug 10 '16 at 22:23
  • Sure thing, will give it a go and get back to you. I just need to first figure out where to put this mod_header line first. – Futh Aug 10 '16 at 22:36
  • Your answer was correct in all senses. First, the code that you provided above was correct. Second, you were also correct in your ascertain that a `deny` or a `redirect` action is executed before the write to a Response Header. Perhaps there is another way of communicating down the chain that some traffic was denied or redirected. – Futh Aug 11 '16 at 10:02