logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Building & Member Downloads View previous topic :: View next topic
Reply to topic   Topic: How to Build mod_csrf on windows
Author
apishdad



Joined: 01 Jul 2019
Posts: 39
Location: Canada, Toronto

PostPosted: Wed 28 Oct '20 17:43    Post subject: How to Build mod_csrf on windows Reply with quote

Hi, Does anybody know how to build mod_csrf in windows ?
Apache documentation points to the apache extension tool to do this:
https://httpd.apache.org/docs/2.4/programs/apxs.html
However I need to execute this tool in windows, where can I download it?
Thanks
Back to top
tangent



Joined: 16 Aug 2020
Posts: 150
Location: UK

PostPosted: Wed 28 Oct '20 23:47    Post subject: Reply with quote

I've had a quick look at this problem.

You've already worked out by default there is no apxs for Windows, so to build this module you have to go back to basics.

However, when trying to build mod_csrf (0.9) I hit a number of issues.

    Microsoft (R) C/C++ Optimizing Compiler Version 19.27.29112 for x64
    Copyright (C) Microsoft Corporation. All rights reserved.

    mod_csrf.c
    mod_csrf.c(449): error C2079: 'cipher_ctx' uses undefined struct 'evp_cipher_ctx_st'

Looking at line 449 of the source code we have the following declaration:

EVP_CIPHER_CTX cipher_ctx;

Unfortunately, this suggests the module code was written for OpenSSL 1.0 rather than 1.1 series, where some data types were changed to be non-opaque to hide their internal structure.

Looking elsewhere at the code, it seems to be nominally targetted at Apache 2.2, so unfortunately, without someone picking up the module source code and modifying it for later versions of OpenSSL and Apache, I think you're stuck.

The current module hasn't been updated for several years, and is still on SourceForge, noting the original authors haven't migrated the code to GitHub.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7031
Location: Germany, Next to Hamburg

PostPosted: Thu 29 Oct '20 10:01    Post subject: Reply with quote

apxs.bat only generates a makefile.

However mod_Security can do csfr if I remember correctly.
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 39
Location: Canada, Toronto

PostPosted: Tue 15 Dec '20 20:43    Post subject: Reply with quote

Thanks James Blond and Thanks Tangent for your advice. I was so busy that I had forgotten to check on this issue but didn't forget to thank you both for your help and kindness. I will try mod_security and see whether that will pass the vulnerability scan.
Thanks
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 39
Location: Canada, Toronto

PostPosted: Sun 03 Jan '21 23:55    Post subject: Any Recommendation on Books or Codes Reply with quote

I have been searching all over the internet for sample codes to use mod_security for Cross Site Request Forgery attacks. I even bought the book
ModSecurity Handbook by Christian Folini and Ivan Ristic
and although there is lots of pointers on the different commands, but not a lot of code to give a head start on how to do this with Apache.

I just needs some starter code, so that I can build on it and its not that difficult to understand.

Do you have any recommendation on any books or other websites.

On the net there is lots of information on what is Cross Site Request Forgery, but not a lot of solutions that are implemented using Apache
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 39
Location: Canada, Toronto

PostPosted: Mon 04 Jan '21 0:31    Post subject: Reply with quote

One other point,
I noticed that the guy who wrote the code removed the reference that you were describing earlier here :

https://sourceforge.net/p/mod-csrf/code/150/

Do you think now that would qualify for version 2.4.46 of apache?

Thanks
Back to top
tangent



Joined: 16 Aug 2020
Posts: 150
Location: UK

PostPosted: Tue 05 Jan '21 19:03    Post subject: Reply with quote

If you check that patch, you'll find the developers haven't removed or updated their references to EVP_CIPHER_CTX ; they've simply moved their EVP_CIPHER_CTX_cleanup() function call further down the file. So as stated above, without further code and API updates that module is not going to work with OpenSSL 1.1 series, or Apache 2.4 series.

In any case, as James suggests, the method this module uses to protect against CSRF attacks appears to be similar to that used by mod_security; namely you have to inject a CSRF token into your page source/forms for mod_security to then validate.

I've only used mod_security in anger a few times, and started my HOW-TO learning at OWASP - https://owasp.org/www-project-modsecurity-core-rule-set.

A quick scan of the net over CSRF with mod_security throws up any number of interesting links, e.g.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/detecting-malice-with-modsecurity-csrf-attacks
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/optional_rules/modsecurity_crs_43_csrf_protection.conf

but I agree with you there are few worked examples out there, not least of which site content and how people choose to code functionality differs so much. Good luck!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7031
Location: Germany, Next to Hamburg

PostPosted: Tue 05 Jan '21 20:11    Post subject: Reply with quote

It might also be an option to use such a thing in your application like https://github.com/JBlond/NoCSRF
Back to top


Reply to topic   Topic: How to Build mod_csrf on windows View previous topic :: View next topic
Post new topic   Forum Index -> Building & Member Downloads