# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.8
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# You must have also activated the 16 session hijacking conf file as
# it initiates the Session Collection and creates the CSRF token
#

#
# CSRF Protections
#
# Must set this directive to On to inject content in the response.
#
SecContentInjection On

#
# It is most likely not appropriate to force CSRF tokens/validation on *all* resources.
# You should edit the LocationMatch Regular Expression below and specify what resources
# you wish to protect.  Some ideas would be for post-authentiacation directories, etc...
#
# Limitations - this implementation does not currently work with AJAX
#
<LocationMatch .*>
SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF Attack Detected - Missing CSRF Token.'"
 SecRule &ARGS:CSRF_TOKEN "!@eq 1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"

SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF Attack Detected - Invalid Token.'"
 SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"



#
# This rule will use Content Injection to append the CSRF Token 
#
SecRule &SESSION:CSRF_TOKEN "@eq 1" "phase:4,id:'981145',t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> \
\
var tokenName = \'CSRF_TOKEN\'; \
var tokenValue = \'%{session.csrf_token}\'; \
\
function updateTags() { \
\
        var all = document.all ? document.all : document.getElementsByTagName(\'*\'); \
        var len = all.length; \
\
        for(var i=0; i<len; i++) { \
                var e = all[i]; \
                \
                updateTag(e, \'src\'); \
                updateTag(e, \'href\'); \
        } \
} \
\
function updateForms() { \
\
        var forms = document.getElementsByTagName(\'form\'); \
                \
        for(i=0; i<forms.length; i++) { \
                var html = forms[i].innerHTML; \
                \
                html += \'<input type=hidden name=\' + tokenName + \' value=\' + tokenValue + \' />\'; \
\
                forms[i].innerHTML = html; \
        } \
\
} \
\
function updateTag(element, attr) { \
\
        var location = element.getAttribute(attr); \
\
        if(location != null && location != \'\' && isHttpLink(location)) { \
\
                var index = location.indexOf(\'?\'); \
\
                if(index != -1) { \
                        location = location + \'&\' + tokenName + \'=\' + tokenValue; \
                } else { \
                        location = location + \'?\' + tokenName + \'=\' + tokenValue; \
                } \
\
                element.setAttribute(attr, location); \
\
        } \
\
} \
\
function isHttpLink(src) { \
        var result = 0; \
                \
        if(src.substring(0, 4) != \'http\' || src.substring(0, 1) == \'/\') { \
                result = 1; \
        } \
        \
        return result; \
} \
\
updateTags(); \
updateForms(); \
\
</script></html>'"

</LocationMatch>