I'll answer my own question.  The body has JSON which is not processed by sanitiseArg.


On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
I am unable to sanitize a password in the request body.

--2a688459-C-- {"username":"someuser","password":"somepassword"}

What i've tried:
SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password"
SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password"
SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched

Any suggestions?