diff --git a/java/ModSecurityLoader/dist/ModSecurityLoader.jar b/java/ModSecurityLoader/dist/ModSecurityLoader.jar new file mode 100644 index 00000000..f1c1180b Binary files /dev/null and b/java/ModSecurityLoader/dist/ModSecurityLoader.jar differ diff --git a/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java b/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java index 1c3bf20f..5008a573 100644 --- a/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java +++ b/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java @@ -10,7 +10,6 @@ public class ModSecurityLoader { File modSecDir = new File(MODSECURITYLIBSDIR_PATH); File[] flibs = modSecDir.listFiles(); - System.out.println("len" + flibs.length); loadLib(flibs, "zlib1"); loadLib(flibs, "libxml2"); @@ -19,6 +18,16 @@ public class ModSecurityLoader { loadLib(flibs, "libapriconv-1"); loadLib(flibs, "libaprutil-1"); loadLib(flibs, "ModSecurityJNI"); + + //alternative load, this requires native libraries to be in java.library.path, you can set it + //by specifying server VM start-up option: -Djava.library.path=path/to/libs/ +// System.loadLibrary("zlib1"); +// System.loadLibrary("libxml2"); +// System.loadLibrary("pcre"); +// System.loadLibrary("libapr-1"); +// System.loadLibrary("libapriconv-1"); +// System.loadLibrary("libaprutil-1"); +// System.loadLibrary("ModSecurityJNI"); } private static void loadLib(File[] files, String lib) { @@ -29,4 +38,8 @@ public class ModSecurityLoader { } } } + + public void main(String[] args) { + + } } diff --git a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java index cccc9379..30f35821 100644 --- a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java +++ b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java @@ -22,14 +22,24 @@ public final class ModSecurity { private long confTime; static { + //ModSecurityLoader calls System.load() for every native library needed by ModSecurity. try { - //ModSecurityLoader calls System.load() for every native library needed by ModSecurity Class.forName("org.modsecurity.loader.ModSecurityLoader"); System.out.println("ModSecurity libraries loaded."); } catch (ClassNotFoundException ex) { java.util.logging.Logger.getLogger(ModSecurity.class.getName()).log(java.util.logging.Level.SEVERE, "ModSecurityLoader was not found, please make sure that you have \"ModSecurityLoader.jar\" in your server lib folder.", ex); } + + //If the ModSecurityLoader is not used, native libraries can be loaded here, however this is bad practice since this will raise UnsatisfiedLinkError if + //ModSecurity is used in multiple webapps. This will also will raise problems when the web-app is redeployed and the server is running. +// System.load("c:\\work\\mod_security\\java\\libs\\zlib1.dll"); +// System.load("c:\\work\\mod_security\\java\\libs\\libxml2.dll"); +// System.load("c:\\work\\mod_security\\java\\libs\\pcre.dll"); +// System.load("c:\\work\\mod_security\\java\\libs\\libapr-1.dll"); +// System.load("c:\\work\\mod_security\\java\\libs\\libapriconv-1.dll"); +// System.load("c:\\work\\mod_security\\java\\libs\\libaprutil-1.dll"); +// System.load("c:\\work\\mod_security\\java\\Debug\\ModSecurityJNI.dll"); } public ModSecurity(FilterConfig fc, String confFile) throws ServletException { diff --git a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java index 50974dba..0892a049 100644 --- a/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java +++ b/java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java @@ -1,6 +1,7 @@ package org.modsecurity; import java.io.IOException; +import java.net.URLDecoder; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -25,7 +26,6 @@ public class ModSecurityFilter implements Filter { throw new ServletException("ModSecurity: parameter 'conf' not available in web.xml"); } - modsecurity = new ModSecurity(fc, confFilename); } @@ -35,14 +35,14 @@ public class ModSecurityFilter implements Filter { HttpServletResponse httpResp = (HttpServletResponse) response; MsHttpTransaction httpTran = new MsHttpTransaction(httpReq, httpResp); //transaction object used by native code - try { + try { int status = modsecurity.onRequest(modsecurity.getConfFilename(), httpTran, modsecurity.checkModifiedConfig()); //modsecurity reloads only if primary config file is modified if (status != ModSecurity.DECLINED) { httpTran.getHttpResponse().sendError(403); return; } - + //process request fc.doFilter(httpTran.getMsHttpRequest(), httpTran.getMsHttpResponse()); diff --git a/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java b/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java index e7b8fa65..2982298d 100644 --- a/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java +++ b/java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java @@ -132,17 +132,18 @@ public class MsHttpServletRequest extends HttpServletRequestWrapper { String contentType = req.getContentType(); bodyBytes = new byte[bytes.length]; System.arraycopy(bytes, 0, bodyBytes, 0, bytes.length); - + body = new String(bodyBytes, encoding); if ((contentType != null) && ((contentType.compareTo("application/x-www-form-urlencoded") == 0) || (contentType.compareTo("application/x-form-urlencoded") == 0))) { addUrlEncoded(body); } } - + @Override public int getContentLength() { - if (bodyBytes == null) + if (bodyBytes == null) { return req.getContentLength(); + } return bodyBytes.length; } @@ -275,7 +276,7 @@ public class MsHttpServletRequest extends HttpServletRequestWrapper { } } } - + //test with <£2.00 price if (flag == 1) { value = ""; if (startPos != -1) { diff --git a/java/ModSecurityTestApp/web/WEB-INF/web.xml b/java/ModSecurityTestApp/web/WEB-INF/web.xml index 1e957606..b752f867 100644 --- a/java/ModSecurityTestApp/web/WEB-INF/web.xml +++ b/java/ModSecurityTestApp/web/WEB-INF/web.xml @@ -10,8 +10,11 @@ org.modsecurity.ModSecurityFilter conf - c:\inetpub\wwwroot\owasp-crs\modsecurity.conf - + c:\inetpub\wwwroot\owasp-crs\modsecurity.conf + diff --git a/java/ModSecurityTestApp/web/help.html b/java/ModSecurityTestApp/web/help.html index 2e26bccd..efb5d153 100644 --- a/java/ModSecurityTestApp/web/help.html +++ b/java/ModSecurityTestApp/web/help.html @@ -8,8 +8,12 @@ font-family: Courier; font-size: 14px; } + .codecanvas { + background: #DDDDDD; + } +
@@ -30,18 +34,18 @@ the web server, acting as a powerful umbrella, shielding applications from attacks.

- ModSecurity for Java is designed as a Java Servlet Filter which makes use of ModSecurity's + ModSecurity for Java is designed as a Java Filter which makes use of ModSecurity's native code using the JNI technology.

- +

Installation

- First you need to choose whether to install the latest version of ModSecurity directly from + First you need to choose whether to download and compile ModSecurity from the project's version control web-site: github.com/SpiderLabs/ModSecurity or using pre-compiled binaries from modsecurity.org. We will not discuss how to compile - the native libraries needed since these steps are described in the README files from ModSecurity's repository. - The native libraries (.so, .dll, etc.) needed for ModSecurity for Java are: + the dependent native libraries needed since these steps are described in the README files from ModSecurity's repository. + The native libraries (.so, .dll, etc.) needed for ModSecurity for Java are:

  1. @@ -66,13 +70,58 @@ ModSecurityJNI
- +

- These libraries are loaded by the ModSecurityLoader.jar, which should be placed in your Java server library loader + These native libraries are loaded by the ModSecurityLoader.jar, which should be placed in your Java server library loader (for example, in Tomcat 7: $CATALINA_HOME/lib). You can build or modify the load directory of ModSecurityLoader from /mod_security/java/ModSecurityLoader/src/. The libraries have to be copied in a directory (for example, c:\work\mod_security\java\libs\), which should be accessible to ModSecurityLoader.jar.

+ +
+

Java Web Applications with ModSecurity Filter

+

+ ModSecurity for Java uses Java Filters in order to + intercept Http requests and responses. ModsecurityTestApp is an example of Java EE Web application using the ModSecurity + Filter. To use ModSecurity Filter in your Web application, copy the source files from + mod_security/java/ModSecurityTestApp/src/ + in your application and add the following entry for the filter tag in your web.xml file: +

+ + 

+<filter>
+        <filter-name>ModSecurityFilter</filter-name>
+	    <filter-class>org.modsecurity.ModSecurityFilter</filter-class>
+	    <init-param>
+                <param-name>conf</param-name>
+                <param-value>c:\inetpub\wwwroot\owasp-crs\modsecurity.conf</param-value> 
+                <!-- Path to the main configuration file of ModSecurity. You can activate the core 
+                     rules by including in modsecurity.conf file:
+                        Include modsecurity_crs_10_setup.conf
+                        Include activated_rules\*.conf
+                -->
+            </init-param>
+    </filter>
+
+    <filter-mapping>
+	    <filter-name>ModSecurityFilter</filter-name>
+	    <url-pattern>/*</url-pattern>
+    </filter-mapping>
+</filter>
+                            
+
+ +

+ The ModSecurity Filter makes use of the native libraries written in C/C++ using the JNI technology. + As stated earlier, the native libraries are loaded by the ModSecurityLoader.jar + which should be loaded by the server at start-up. If you are unable to configure the server to load the + ModSecurity libraries at startup, you may load them in your web application although this is not + recommended because this will raise UnsatisfiedLinkError if the ModSecurity + Filter is used in multiple applications within the same server. +

+
+
+
diff --git a/java/ModSecurityTestApp/web/index.jsp b/java/ModSecurityTestApp/web/index.jsp index 3e560638..628e0934 100644 --- a/java/ModSecurityTestApp/web/index.jsp +++ b/java/ModSecurityTestApp/web/index.jsp @@ -1,3 +1,4 @@ +<%@page import="java.net.URLDecoder"%> <%@page contentType="text/html" pageEncoding="UTF-8"%> @@ -34,7 +35,7 @@ -
+ Payload:
@@ -88,10 +89,10 @@ - + <% if (request.getParameter("test") != null) {%>

Last submitted payload:

-

<%= request.getParameter("test")%>

+

<%= request.getParameter("test") %>


<% }%> diff --git a/java/Readme.html b/java/Readme.html new file mode 100644 index 00000000..e7db2746 --- /dev/null +++ b/java/Readme.html @@ -0,0 +1,9 @@ + + + + ModSecurity WAF: Help page + + + Please read the instructions from ./ModSecurityTestApp/web/help.html + + \ No newline at end of file