| Author |
|
apishdad
Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto
|
 Posted: Wed 28 Oct '20 17:43 Post subject: How to Build mod_csrf on windows |
 |
|
Hi, Does anybody know how to build mod_csrf in windows ?
Apache documentation points to the apache extension tool to do this:
https://httpd.apache.org/docs/2.4/programs/apxs.html
However I need to execute this tool in windows, where can I download it?
Thanks |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Wed 28 Oct '20 23:47 Post subject: |
|
|
I've had a quick look at this problem.
You've already worked out by default there is no apxs for Windows, so to build this module you have to go back to basics.
However, when trying to build mod_csrf (0.9) I hit a number of issues.
Microsoft (R) C/C++ Optimizing Compiler Version 19.27.29112 for x64
Copyright (C) Microsoft Corporation. All rights reserved.
mod_csrf.c
mod_csrf.c(449): error C2079: 'cipher_ctx' uses undefined struct 'evp_cipher_ctx_st'
Looking at line 449 of the source code we have the following declaration:
EVP_CIPHER_CTX cipher_ctx;
Unfortunately, this suggests the module code was written for OpenSSL 1.0 rather than 1.1 series, where some data types were changed to be non-opaque to hide their internal structure.
Looking elsewhere at the code, it seems to be nominally targetted at Apache 2.2, so unfortunately, without someone picking up the module source code and modifying it for later versions of OpenSSL and Apache, I think you're stuck.
The current module hasn't been updated for several years, and is still on SourceForge, noting the original authors haven't migrated the code to GitHub. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 29 Oct '20 10:01 Post subject: |
|
|
apxs.bat only generates a makefile.
However mod_Security can do csfr if I remember correctly. |
|
| Back to top |
|
apishdad
Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto
|
| Posted: Tue 15 Dec '20 20:43 Post subject: |
|
|
Thanks James Blond and Thanks Tangent for your advice. I was so busy that I had forgotten to check on this issue but didn't forget to thank you both for your help and kindness. I will try mod_security and see whether that will pass the vulnerability scan.
Thanks |
|
| Back to top |
|
apishdad
Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto
|
| Posted: Sun 03 Jan '21 23:55 Post subject: Any Recommendation on Books or Codes |
|
|
I have been searching all over the internet for sample codes to use mod_security for Cross Site Request Forgery attacks. I even bought the book
ModSecurity Handbook by Christian Folini and Ivan Ristic
and although there is lots of pointers on the different commands, but not a lot of code to give a head start on how to do this with Apache.
I just needs some starter code, so that I can build on it and its not that difficult to understand.
Do you have any recommendation on any books or other websites.
On the net there is lots of information on what is Cross Site Request Forgery, but not a lot of solutions that are implemented using Apache |
|
| Back to top |
|
apishdad
Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto
|
| Posted: Mon 04 Jan '21 0:31 Post subject: |
|
|
One other point,
I noticed that the guy who wrote the code removed the reference that you were describing earlier here :
https://sourceforge.net/p/mod-csrf/code/150/
Do you think now that would qualify for version 2.4.46 of apache?
Thanks |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
