Thanks for your help, but I think I didn´t describe the problem exactly. So I´ll give it another try J
I would like to use the OWASP Core Rule Set and when I send the following request the complete data inside the request xml node is checked with the OWASP Core Rule Set, which leads to a lot of false positives.
<request><?xml version="1.0" encoding="utf-16"?>
<request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" >
In the end I would the ModSecurity waf to check only the data that is inside the second “request” xml-node. Therefore I assume that the XML-Parser of the Modsecurity WAF has to do an optional HTML-decoding before parsing the whole XML.
Is that possible?
On Fri, 2013-12-20 at 13:38 +0100, Mario wrote:
I would like the xml-parser to handle this html-encoded data as a XML structure so that the parser can fully build the xml tree. Is it possible to configure Modsecurity to HTML-decode the data inside the request node and then do the parsing of the xml?
I'm not sure I fully understand what your after, but using the following rules, the request node contents are HTML decoded:
SecRule REQUEST_HEADERS:Content-Type "@rx ^text/xml$" \
SecRule XML:/soap:Envelope/soap:Body/call/request \
"^(.*)$" "phase:2,pass,capture, \
which results in:
[22/Dec/2013:18:36:03 +0200] [lab.localhost/sid#7fc694d2a808][rid#7fc694bca0a0][/] Warning. Pattern match "^(.*)$" at XML. [file "/opt/modsecurity/etc/rules.conf"] [line "7"] [id "2"] [msg "Captured <?xml version=\"1.0\" encoding=\"utf-16\"?>\r<request xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" >\r</request>"]