github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-17 09:55:28 +03:00
Code Issues Packages Projects Releases Wiki Activity

modsecurity loader

Browse Source
This commit is contained in:
Mihai Pitu
2013-08-09 15:48:00 +03:00
committed by Felipe Zimmerle
parent b1755c5b84
commit a662d8fe4c
10 changed files with 299 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
java/ModSecurityTestApp/web/help.html Normal file
View File

@@ -0,0 +1,76 @@
<!DOCTYPE html>
<html>
<head>
<title>ModSecurity WAF: Help page</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body style="background: #333333;">
<div align="center" style="width:930px; margin:0 auto; box-shadow: 5px 5px 6px #000; background: #FFFFFF;">
<div style="width: 930px;">
<img border="0" height="101" alt="ModSecurity: Open Source Web Application Firewall" src="http://www.modsecurity.org/g/header-top.jpg" />
</div>
<div style="width: 930px;">
<table width="90%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
<h2 style="font-family: Arial;">ModSecurity for Java - Help Page</h2>
</td>
</tr>
<tr>
<td>
<p>
<b>ModSecurity</b> is an open source intrusion detection and prevention engine for web
applications. It can also be called an web application firewall. It operates embedded into
the web server, acting as a powerful umbrella, shielding applications from attacks.
</p>
<p>
ModSecurity for Java is designed as a <b>Java Servlet Filter</b> which makes use of ModSecurity's
<a href="https://github.com/SpiderLabs/ModSecurity">native code</a> using the <b>JNI technology</b>.
</p>
<br />
<h3>Installation</h3>
<p>
First you need to choose whether to install the latest version of ModSecurity directly from
<a href="https://github.com/SpiderLabs/ModSecurity">github.com/SpiderLabs/ModSecurity</a> or using pre-compiled binaries from
<a href="https://www.modsecurity.org/">modsecurity.org</a>. We will not discuss how to compile
the native libraries needed since these steps are described in the README files from ModSecurity's repository.
The native libraries (.so, .dll, etc.) needed for <b>ModSecurity for Java are:</b>
</p>
<ol>
<li>
zlib1
</li>
<li>
libxml2
</li>
<li>
pcre
</li>
<li>
libapr-1
</li>
<li>
libapriconv-1
</li>
<li>
libaprutil-1
</li>
<li>
ModSecurityJNI
</li>
</ol>
<p>
These libraries are loaded by the ModSecurityLoader.jar, which should be placed in your Java server library loader
(for example, in Tomcat 7: $CATALINA_HOME/lib). You can build/modify load directory the ModSecurityLoader from
/mod_security/java/ModSecurityLoader/src/. The libraries have to be copied in a directory (for example, c:\work\mod_security\java\libs\),
which should be accessible to ModSecurityLoader.jar.
</p>
</td>
</tr>
</table>
</div>
</div>
</body>
</html>

102
java/ModSecurityTestApp/web/index.jsp
View File

@@ -3,12 +3,102 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JSP Page</title>
<title>ModSecurity WAF for Java: Demo page</title>
</head>
<body>
<form method="post" action="Post.jsp">
Post Action: <input type="text" name="data" />
<input type="submit" />
</form>
<body style="background: #333333;">
<div align="center" style="width:930px; margin:0 auto; box-shadow: 5px 5px 6px #000; background: #FFFFFF;">
<div width="930">
<h1>
<img border="0" height="101" alt="ModSecurity: Open Source Web Application Firewall" src="http://www.modsecurity.org/g/header-top.jpg" />
</h1>
</div>
<div width="930">
<table width="90%" cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
<h2 style="font-family: Arial;">ModSecurity Core Rule Set (CRS) - Installed demo</h2>
</td>
</tr>
<tr>
<td>
<p>
Please feel free to inject malicious input to stress test the ModSecurity Core Rule Set (CRS). The form accepts both GET and POST request methods. You can either do this via the form below or manually.
</p>
<p>
Check your servlet context logging for ModSecurity output. The request may also be blocked if, for example, <i>SecRuleEngine</i> is <i>On</i>.
</p>
<p>
You can also access the <a href="help.html">ModSecurity for Java - Help page</a>.
</p>
</td>
</tr>
<tr>
<td>
<form id="demoForm" method="post" action="index.jsp">
<b>Payload:</b>
<fieldset>
<textarea name="test" rows="6" cols="90" style="max-width:800px;"></textarea> <!--Foo' or '2' < '1' ;--example payload-->
</fieldset>
<fieldset><input id="submit" type="submit" value="Send"></input>
method=
<a id="demoMethodToggle" href="javascript:toggleMethod()"> GET </a>
enctype=
<a id="demoEncToggle" href="javascript:toggleEncType()"> application/x-www-form-urlencoded </a></fieldset>
</form>
<script type="text/javascript">
function toggleEncType() {
var f = document.getElementById('demoForm');
var le = document.getElementById('demoEncToggle');
var lm = document.getElementById('demoMethodToggle');
if (f.getAttribute('enctype') === 'application/x-www-form-urlencoded') {
f.setAttribute('enctype', 'multipart/form-data');
f.setAttribute('method', 'POST');
le.innerHTML = 'multipart/form-data';
lm.innerHTML = 'POST';
}
else {
f.setAttribute('enctype', 'application/x-www-form-urlencoded');
le.innerHTML = 'application/x-www-form-urlencoded';
}
}
function toggleMethod() {
var f = document.getElementById('demoForm');
var le = document.getElementById('demoEncToggle');
var lm = document.getElementById('demoMethodToggle');
if (f.getAttribute('method') === 'POST') {
f.setAttribute('enctype', 'application/x-www-form-urlencoded');
f.setAttribute('method', 'GET');
le.innerHTML = 'application/x-www-form-urlencoded';
lm.innerHTML = 'GET';
}
else {
f.setAttribute('method', 'POST');
lm.innerHTML = 'POST';
}
}
</script>
<br />
<br />
<br />
<br />
</td>
</tr>
<tr>
<td>
<% if (request.getParameter("test") != null) {%>
<h3>Last submitted payload:</h3>
<p><%= request.getParameter("test")%></p>
<br />
<% }%>
</td>
</tr>
</table>
</div>
</div>
</body>
</html>