diff --git a/java/ModSecurityLoader/build.xml b/java/ModSecurityLoader/build.xml new file mode 100644 index 00000000..53ccb231 --- /dev/null +++ b/java/ModSecurityLoader/build.xml @@ -0,0 +1,74 @@ + + + + + + + + + + + Builds, tests, and runs the project ModSecurityLoader. + + + diff --git a/java/ModSecurityLoader/manifest.mf b/java/ModSecurityLoader/manifest.mf new file mode 100644 index 00000000..328e8e5b --- /dev/null +++ b/java/ModSecurityLoader/manifest.mf @@ -0,0 +1,3 @@ +Manifest-Version: 1.0 +X-COMMENT: Main-Class will be added automatically by build + diff --git a/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java b/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java new file mode 100644 index 00000000..1c3bf20f --- /dev/null +++ b/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java @@ -0,0 +1,32 @@ +package org.modsecurity.loader; + +import java.io.File; + +public class ModSecurityLoader { + + private static final String MODSECURITYLIBSDIR_PATH = "c:\\work\\mod_security\\java\\libs\\"; //directory with ModSecurity native libraries + + static { + File modSecDir = new File(MODSECURITYLIBSDIR_PATH); + + File[] flibs = modSecDir.listFiles(); + System.out.println("len" + flibs.length); + + loadLib(flibs, "zlib1"); + loadLib(flibs, "libxml2"); + loadLib(flibs, "pcre"); + loadLib(flibs, "libapr-1"); + loadLib(flibs, "libapriconv-1"); + loadLib(flibs, "libaprutil-1"); + loadLib(flibs, "ModSecurityJNI"); + } + + private static void loadLib(File[] files, String lib) { + for (int i = 0; i < files.length; i++) { + if (files[i].getName().startsWith(lib)) { + System.load(files[i].getAbsolutePath()); + break; + } + } + } +} diff --git a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java index d35327ce..cccc9379 100644 --- a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java +++ b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java @@ -22,22 +22,14 @@ public final class ModSecurity { private long confTime; static { -// try { -// Class.forName("org.modsecurity.loader.ModSecurityLoader"); -// System.out.println("MS loader found"); -// } catch (ClassNotFoundException ex) { -// Logger.getLogger(ModSecurity.class.getName()).log(Level.SEVERE, null, ex); -// } - - //TODO: bad practice (if we have two webapps using ModSecurity, one will raise UnsatisfiedLinkError), - //native libraries should be loaded in server's root classloader - System.load("c:\\work\\mod_security\\java\\libs\\zlib1.dll"); - System.load("c:\\work\\mod_security\\java\\libs\\libxml2.dll"); - System.load("c:\\work\\mod_security\\java\\libs\\pcre.dll"); - System.load("c:\\work\\mod_security\\java\\libs\\libapr-1.dll"); - System.load("c:\\work\\mod_security\\java\\libs\\libapriconv-1.dll"); - System.load("c:\\work\\mod_security\\java\\libs\\libaprutil-1.dll"); - System.load("c:\\work\\mod_security\\java\\Debug\\ModSecurityJNI.dll"); + try { + //ModSecurityLoader calls System.load() for every native library needed by ModSecurity + Class.forName("org.modsecurity.loader.ModSecurityLoader"); + System.out.println("ModSecurity libraries loaded."); + } catch (ClassNotFoundException ex) { + java.util.logging.Logger.getLogger(ModSecurity.class.getName()).log(java.util.logging.Level.SEVERE, + "ModSecurityLoader was not found, please make sure that you have \"ModSecurityLoader.jar\" in your server lib folder.", ex); + } } public ModSecurity(FilterConfig fc, String confFile) throws ServletException { diff --git a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java index afc021ee..50974dba 100644 --- a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java +++ b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java @@ -25,7 +25,7 @@ public class ModSecurityFilter implements Filter { throw new ServletException("ModSecurity: parameter 'conf' not available in web.xml"); } - + modsecurity = new ModSecurity(fc, confFilename); } @@ -39,28 +39,25 @@ public class ModSecurityFilter implements Filter { int status = modsecurity.onRequest(modsecurity.getConfFilename(), httpTran, modsecurity.checkModifiedConfig()); //modsecurity reloads only if primary config file is modified if (status != ModSecurity.DECLINED) { - if (status > 0) { - httpTran.getHttpResponse().setStatus(status); - httpTran.getHttpResponse().sendError(status); - } + httpTran.getHttpResponse().sendError(403); return; } //process request fc.doFilter(httpTran.getMsHttpRequest(), httpTran.getMsHttpResponse()); - - + + status = modsecurity.onResponse(httpTran); - - if(status != ModSecurity.OK && status != ModSecurity.DECLINED) { + + if (status != ModSecurity.OK && status != ModSecurity.DECLINED) { httpTran.getMsHttpResponse().reset(); httpTran.getMsHttpResponse().setStatus(status); } - + } finally { httpTran.destroy(); } - + } @Override diff --git a/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java b/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java index b2a8b85f..e7b8fa65 100644 --- a/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java +++ b/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java @@ -16,7 +16,6 @@ import java.io.OutputStream; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.ArrayList; -import java.util.Collection; import java.util.Collections; import java.util.Enumeration; import java.util.HashMap; @@ -28,7 +27,6 @@ import javax.servlet.ServletException; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; -import javax.servlet.http.HttpServletResponse; import org.apache.commons.fileupload.DefaultFileItem; import org.apache.commons.fileupload.DiskFileUpload; import org.apache.commons.fileupload.FileItem; diff --git a/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpTransaction.java b/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpTransaction.java index 5d50cf5f..7217ce43 100644 --- a/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpTransaction.java +++ b/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpTransaction.java @@ -19,6 +19,7 @@ public class MsHttpTransaction { public MsHttpTransaction(ServletRequest req, ServletResponse res) { tranID = UUID.randomUUID().toString(); + tranID = tranID.replace('-', '0'); this.req = (HttpServletRequest)req; this.res = (HttpServletResponse)res; this.msReq = new MsHttpServletRequest(this.req); diff --git a/java/ModSecurityTestApp/web/help.html b/java/ModSecurityTestApp/web/help.html new file mode 100644 index 00000000..bfc13d1f --- /dev/null +++ b/java/ModSecurityTestApp/web/help.html @@ -0,0 +1,76 @@ + + + + ModSecurity WAF: Help page + + + +
+
+ ModSecurity: Open Source Web Application Firewall +
+
+ + + + + + + +
+

ModSecurity for Java - Help Page

+
+

+ ModSecurity is an open source intrusion detection and prevention engine for web + applications. It can also be called an web application firewall. It operates embedded into + the web server, acting as a powerful umbrella, shielding applications from attacks. +

+

+ ModSecurity for Java is designed as a Java Servlet Filter which makes use of ModSecurity's + native code using the JNI technology. +

+ +
+

Installation

+

+ First you need to choose whether to install the latest version of ModSecurity directly from + github.com/SpiderLabs/ModSecurity or using pre-compiled binaries from + modsecurity.org. We will not discuss how to compile + the native libraries needed since these steps are described in the README files from ModSecurity's repository. + The native libraries (.so, .dll, etc.) needed for ModSecurity for Java are: +

+
    +
  1. + zlib1 +
    2. +
  2. + libxml2 +
    3. +
  3. + pcre +
    4. +
  4. + libapr-1 +
    5. +
  5. + libapriconv-1 +
    6. +
  6. + libaprutil-1 +
    7. +
  7. + ModSecurityJNI +
    8. +
+ +

+ These libraries are loaded by the ModSecurityLoader.jar, which should be placed in your Java server library loader + (for example, in Tomcat 7: $CATALINA_HOME/lib). You can build/modify load directory the ModSecurityLoader from + /mod_security/java/ModSecurityLoader/src/. The libraries have to be copied in a directory (for example, c:\work\mod_security\java\libs\), + which should be accessible to ModSecurityLoader.jar. +

+
+
+
+ + diff --git a/java/ModSecurityTestApp/web/index.jsp b/java/ModSecurityTestApp/web/index.jsp index aff0d0c2..3e560638 100644 --- a/java/ModSecurityTestApp/web/index.jsp +++ b/java/ModSecurityTestApp/web/index.jsp @@ -3,12 +3,102 @@ - JSP Page + ModSecurity WAF for Java: Demo page - -
- Post Action: - -
+ +
+
+

+ ModSecurity: Open Source Web Application Firewall +

+
+
+ + + + + + + + + + + + + + +
+

ModSecurity Core Rule Set (CRS) - Installed demo

+
+

+ Please feel free to inject malicious input to stress test the ModSecurity Core Rule Set (CRS). The form accepts both GET and POST request methods. You can either do this via the form below or manually. +

+

+ Check your servlet context logging for ModSecurity output. The request may also be blocked if, for example, SecRuleEngine is On. +

+

+ You can also access the ModSecurity for Java - Help page. +

+
+
+ Payload: +
+ +
+ +
+ method= + GET + enctype= + application/x-www-form-urlencoded
+
+ + + +
+
+
+
+
+ <% if (request.getParameter("test") != null) {%> +

Last submitted payload:

+

<%= request.getParameter("test")%>

+
+ <% }%> +
+
+
+ diff --git a/java/org_modsecurity_ModSecurity.cpp b/java/org_modsecurity_ModSecurity.cpp index 6b814e04..311e2289 100644 --- a/java/org_modsecurity_ModSecurity.cpp +++ b/java/org_modsecurity_ModSecurity.cpp @@ -34,7 +34,6 @@ #define HTTPTRANSACTION_TRANSACTIONID_MET "getTransactionID" - #define SERVLETREQUEST_SERVERNAME_MET "getServerName" #define SERVLETREQUEST_CHARENCODING_MET "getCharacterEncoding" #define SERVLETREQUEST_CONTENTTYPE_MET "getContentType" @@ -64,9 +63,6 @@ #define MSSERVLETRESPONSE_OUTPUTSTREAM_MET "getByteArrayStream" #define MSSERVLETRESPONSE_OUTPUTSTREAM_SIG "()Ljava/io/ByteArrayInputStream;" -#define MSSERVLETRESPONSE_RESET_MET "reset" -#define MSSERVLETRESPONSE_RESET_SIG "()V" - //typedef struct { JavaVM *jvm; @@ -210,7 +206,7 @@ void logSec(void *obj, int level, char *str) (env)->CallVoidMethod(modSecurityInstance, logMethod, level, jStr); (jvm)->DetachCurrentThread(); - //in the context of a JVM thread, any leaked local references are automatically cleaned up. + //in the context of a JVM thread, any leaked local references are automatically cleaned up //(env)->ReleaseStringUTFChars(jStr, str); } } @@ -249,9 +245,6 @@ apr_status_t ReadBodyCallback(request_rec *r, char *buf, unsigned int length, un *readcnt = count; memcpy(buf, bufferPtr, *readcnt); - //const char *test = "Foo' or '2' < '1' ;--"; - //memcpy(buf, test, strlen(test)); - } (env)->ReleaseByteArrayElements(byteArrayBuf, bufferPtr, NULL); (env)->DeleteLocalRef(byteArrayBuf);