Hi Josh,

 

Thanks for your help, but I think I didn´t describe the problem exactly. So I´ll give it another try J

 

I would like to use the OWASP Core Rule Set and  when I send the following request the complete data inside the request xml node is checked with the OWASP Core Rule Set, which leads to a lot of false positives.  

 

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">

  <s:Body>

    <call>

      <request>&lt;?xml version="1.0" encoding="utf-16"?&gt;&#xD;&lt;request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" &gt;&#xD;&lt;/request&gt;</request>

    </call>

  </s:Body>

</s:Envelope>

 

In the end I would the ModSecurity waf to check only the data that is inside the second “request” xml-node. Therefore I assume that the XML-Parser of the Modsecurity WAF has to do an optional HTML-decoding before parsing the whole XML.

 

Is that possible?

 

 

Greetings,

Mario

 

 

 

Von: Josh Amishav-Zlatin [mailto:josh@wafsec.com]
Gesendet: Sonntag, 22. Dezember 2013 17:41
An: mod-security-users@lists.sourceforge.net
Betreff: Re: [mod-security-users] XML-Parser and HTML-encoded data

 

On Fri, 2013-12-20 at 13:38 +0100, Mario wrote:

I would like the xml-parser to handle this html-encoded data as a XML structure so that the parser can fully build the xml tree. Is it possible to configure Modsecurity to HTML-decode the data inside the request node and then do the parsing of the xml?


Hi Mario,

I'm not sure I fully understand what your after, but using the following rules, the request node contents are HTML decoded:

SecRule REQUEST_HEADERS:Content-Type "@rx ^text/xml$" \
id:1,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML

SecRule XML:/soap:Envelope/soap:Body/call/request \
  "^(.*)$" "phase:2,pass,capture, \
  xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/, \
  id:2,log,msg:'Captured %{TX.1}'"

which results in:

[22/Dec/2013:18:36:03 +0200] [lab.localhost/sid#7fc694d2a808][rid#7fc694bca0a0][/][2] Warning. Pattern match "^(.*)$" at XML. [file "/opt/modsecurity/etc/rules.conf"] [line "7"] [id "2"] [msg "Captured <?xml version=\"1.0\" encoding=\"utf-16\"?>\r<request xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" >\r</request>"]


Josh Amishav-Zlatin

CTO | WAFSEC
The WAF is free, your time isn't