[Mod-security-developers] sanitiseArgs not working with JSON payload
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] sanitiseArgs not working with JSON payload
|
From: Bruno S. de A. <br...@sa...> - 2014-04-29 11:32:57
|
Hi,
I'm testing 2.8.0 with the JSON request body processor and it seems that
the sanitiseArgs is not working as expected.
It detects the fields, it matches the rule, but it logs the data in the
clear, even though modsec logs which args were sanitised.
Rule:
SecAction
"phase:5,id:'6660666',t:none,pass,nolog,sanitiseArg:cardNumber,sanitiseArg:cardToken"
audit log:
[29/Apr/2014:12:19:54 +0100] U1@K2goFLh4AAHIFMqAAAAAS 10.5.12.18 43609
10.5.46.31 443
--72235b1e-B--
POST /psp/save HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1
zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: payments
Content-Type: application/json;charset=UTF-8
Accept: application/json
Content-Length: 114
--72235b1e-C--
{"cardToken":"aaaaaaaaaaaaaaaaaaaaaaaaaa1111111111111111111111aaaaaaaaaaaaaaaaaa","cardNumber":"1000000000000001"}
--72235b1e-F--
HTTP/1.1 400 Bad Request
Content-Type: application/json
Via: 1.1 payments
Content-Length: 78
Connection: close
--72235b1e-E--
{"message":"Please check your input and try again.","error":"Invalid
Details"}
--72235b1e-H--
Apache-Handler: proxy-server
Stopwatch: 1398770394130647 22955 (- - -)
Stopwatch2: 1398770394130647 22955; combined=2733, p1=266, p2=2062, p3=9,
p4=355, p5=40, sr=86, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9.
Server: Apache
Sanitised-Args: "cardNumber", "cardToken".
Engine-Mode: "DETECTION_ONLY"
A Similar request using application/x-www-form-urlencoded works as
expected.
Thanks,
--
- Bruno
|
