Cookies
YaBB uses cookies to keep track of logged-in users. Using our HTTP debugging proxy we can see that they are called Y2User-10491, Y2Pass-10491, and Y2Sess-10491. The second part of the cookie name is a random number unique to each YaBB installation. The cookie names are stored in the file Settings.pl, so looking there would be another way to find out what the cookies are named in a particular installation.
Knowing this, we can create a rule to allow only these three cookies:
SecRule REQUEST_COOKIES_NAMES "!^Y2(Pass|Sess|User)-10491$" "deny"
Now we need to enforce the content of the cookies. Again, our handy proxy tells us what the cookies should look like:
These are the values set for the default username/password combination of admin/admin. We see that the first two cookies should contain only letters and digits, and that the final cookie should contain only characters that are acceptable in a username. This allows us to write these rules to make sure the cookies conform to this...
