[Mod-security-developers] sanitiseArgs not working with JSON payload
Brought to you by:
victorhora,
zimmerletw
From: Bruno S. de A. <br...@sa...> - 2014-04-29 11:32:57
|
Hi, I'm testing 2.8.0 with the JSON request body processor and it seems that the sanitiseArgs is not working as expected. It detects the fields, it matches the rule, but it logs the data in the clear, even though modsec logs which args were sanitised. Rule: SecAction "phase:5,id:'6660666',t:none,pass,nolog,sanitiseArg:cardNumber,sanitiseArg:cardToken" audit log: [29/Apr/2014:12:19:54 +0100] U1@K2goFLh4AAHIFMqAAAAAS 10.5.12.18 43609 10.5.46.31 443 --72235b1e-B-- POST /psp/save HTTP/1.1 User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 Host: payments Content-Type: application/json;charset=UTF-8 Accept: application/json Content-Length: 114 --72235b1e-C-- {"cardToken":"aaaaaaaaaaaaaaaaaaaaaaaaaa1111111111111111111111aaaaaaaaaaaaaaaaaa","cardNumber":"1000000000000001"} --72235b1e-F-- HTTP/1.1 400 Bad Request Content-Type: application/json Via: 1.1 payments Content-Length: 78 Connection: close --72235b1e-E-- {"message":"Please check your input and try again.","error":"Invalid Details"} --72235b1e-H-- Apache-Handler: proxy-server Stopwatch: 1398770394130647 22955 (- - -) Stopwatch2: 1398770394130647 22955; combined=2733, p1=266, p2=2062, p3=9, p4=355, p5=40, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9. Server: Apache Sanitised-Args: "cardNumber", "cardToken". Engine-Mode: "DETECTION_ONLY" A Similar request using application/x-www-form-urlencoded works as expected. Thanks, -- - Bruno |