Cookie Poisoning
Contents |
Cookie Poisoning
Synopsis
Cookie Poisoning module monitor the Set-Cookies headers and the cookie values in the repsonse from server side. If the monitored cookie values are changed by the client side, this module detect this and do action according to user settings.
This module depends on Session module, so before use the directives of this module you need to enable session support first.
Directives
cookie_poisoning
Syntax | cookie_poisoning on | off; |
Default | off |
Context | Location |
Enable cookie poisoning protection in a location
For instance:
server { session on; ... location / { cookie_poisoning on; ... } }
cookie_poisoning_action
Syntax | cookie_poisoning_action block | pass | remove | blacklist,num; |
Default | block |
Context | Location |
This directive specifies the action when cookie values are detected changed.
Supported actions are:
- block, block the request and drop it.
- pass, let the request pass SEnginx
- remove, remove the poisoned cookie in the request and then pass the request to backend.
- blacklist, add this session into the blacklist when the block-times reaches the threshold.
Example:
cookie_poisoning_action block; //block cookie_poisoning_action remove; //remove cookie value cookie_poisoning_action blacklist,5; //after block for 5 times, add the session to blacklist
cookie_poisoning_log
Syntax | cookie_poisoning_log on | off; |
Default | off |
Context | Location |
enable or disalbe the logging functionlaity. If this is enabled, this module will write an alert log into SEnginx's error log when an attack has been detected
Example:
cookie_poisoning_log on;
cookie_poisoning_whitelist
Syntax | cookie_poisoning_whitelist ua_var_name=UA whitlist ip_var_name=IP whitelist ip_var_value=value; |
Default | - |
Context | Location |
This directive specifies which IP whitelist and User-Agent whitelist to use. The IP whitelist is provided by nginx's geo module.
Example:
#Define an IP whitelist geo $ip_wl { ranges; default 0; 127.0.0.1-127.0.0.1 1; 3.0.0.1-3.2.1.254 1; } #Define an User Agent whitelist whitelist_ua $ua_wl { "autotest" ".*\.test\.com"; } server { location / { cookie_poisoning_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1; ... } }
Statistics
Use SEnginx Statistics module to see cookie poisoning attacks statistics.