Re: [mod-security-users] Problem retrieving Response body whenContent-Type is 'text/xml'
Brought to you by:
victorhora,
zimmerletw
From: Stephen C. E. <ste...@gm...> - 2008-09-24 12:10:32
|
Worked like a champ, Ryan. Thanks, Stephen On Wed, Sep 24, 2008 at 6:00 PM, Ryan Barnett <Rya...@br...>wrote: > You need to update your SecResponseBodyMimeType directive ( > http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/html-multipage/configuration-directives.html#N107D2) > to include "text/xml". > > > Ryan C. Barnett > Director of Application Security > Breach Security, Inc. > Ryan.Barnett@Breach.com <blocked::mailto:Ryan.Barnett@Breach.com> > www.Breach.com <http://www.breach.com/> > > ------------------------------ > *From*: Stephen Craig Evans > *To*: mod...@li... > *Sent*: Wed Sep 24 03:11:15 2008 > *Subject*: [mod-security-users] Problem retrieving Response body > whenContent-Type is 'text/xml' > Hi, > > I cannot retrieve the HTTP Response body when it is type 'text/xml'; it's > the 1st time I've tried it, and I have no problem when the Content-Type is > 'text/html'. > > Can you please tell me what I am missing? > > It's a GET request: > GET > http://192.168.0.5/WebGoat/attack?Screen=20&menu=400&from=ajax&accountID=836239 > > The response (header, then body) is: > > HTTP/1.1 200 OK > Date: Tue, 23 Sep 2008 05:14:39 GMT > Server: Apache-Coyote/1.1 > Pragma: No-cache > Cache-Control: no-cache > Expires: Thu, 01 Jan 1970 07:30:00 GMT > Content-Type: text/xml > ------------------ > <root> > <reward>WebGoat Mug 20 Pts</reward> > <reward>WebGoat t-shirt 50 Pts</reward> > <reward>WebGoat Secure Kettle 30 Pts</reward> > </root> > ------------------ > > Leading up to the ModSecurity rule, the debug log file has perhaps one > ominous message: > -------------------- > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][4<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B4>] > Starting phase RESPONSE_HEADERS. > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][9<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B9>] > This phase consists of 0 rule(s). > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][4<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B4>] > Output filter: Not buffering response body for unconfigured MIME type > "text/xml". > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][9<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B9>] > Content Injection: Nothing to inject. > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][9<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B9>] > Output filter: Sending input brigade directly. > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][9<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B9>] > Output filter: Receiving output (f 83f8818, r 83eea80). > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][4<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B4>] > Output filter: Completed receiving response body (non-buffering). > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][4<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B4>] > Starting phase RESPONSE_BODY. > [23/Sep/2008:23:04:06 +0800] [ > 192.168.0.5/sid#82159d8][rid#83eea80][/WebGoat/attack][9<http://192.168.0.5/sid#82159d8%5D%5Brid%2383eea80%5D%5B/WebGoat/attack%5D%5B9>] > This phase consists of 2 rule(s). > -------------------- > > The ModSecurity rule is: > SecRuleScript "/etc/modsecurity/data/rewards-response_03-5.lua" > "phase:4,t:none,log,auditlog,allow,msg:'Luascript: AJAX Security -> 3.5 XML > Injection: in RESPONSE; writing rewards to file'" > > And the very simple Lua script - same exact syntax that I've used > successfully for 'text/html' - is: > ----------------------------- > msg0 = "Luascript (rewards-response_03-5.lua): " > msg2 = "" > > function main() > local tbuff = m.getvar("RESPONSE_BODY", "none") > str1 = string.format("Response body is: %s", tbuff) > msg2 = msg0 .. str1 > m.log(9, msg2) > return nil > end > ------------------------------- > > The buffer is empty. I just want the text as-is and I'll parse it on my > own. > > The debug log for a Response body with Content-Type 'text/html' has this > leading up to the rules and looks quite different: > ------------------------------- > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][4<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B4>] > Starting phase RESPONSE_HEADERS. > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][9<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B9>] > This phase consists of 0 rule(s). > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][9<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B9>] > Content Injection: Nothing to inject. > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][9<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B9>] > Output filter: Bucket type HEAP contains 7756 bytes. > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][9<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B9>] > Output filter: Receiving output (f 83e5110, r 83e5a10). > ... (about 10 more like the previous 2 rules) > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][9<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B9>] > Output filter: Bucket type EOS contains 0 bytes. > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][4<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B4>] > Output filter: Completed receiving response body (buffered full - 30474 > bytes). > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][4<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B4>] > Starting phase RESPONSE_BODY. > [24/Sep/2008:09:45:29 +0800] [ > 192.168.0.5/sid#82109c8][rid#83e5a10][/WebGoat/attack][9<http://192.168.0.5/sid#82109c8%5D%5Brid%2383e5a10%5D%5B/WebGoat/attack%5D%5B9>] > This phase consists of 2 rule(s). > ------------------------------- > > Any advice is greatly appreciated, > Stephen > > |