Richard Powell - 2016-04-27

I have scoured the Internet for days now, in search of a way to insert code into a web page using the STREAM_OUTPUT_BODY and rsub feature. I've found plenty of references to using these in The Web Application Defender's Cookbook by Ryan Barnett, as well as on SpiderLabs sites and pages. All examples seem to say you can compare the file name using REQUEST_FILENAME or REQUEST_LINE or REQUEST_URI to determine the location being accessed, but then they say to use "phase:4" in a chain to initiate the rsub function.

The problem I'm having is that none of the variable names listed above are triggered or accessible in phase 4. They trigger if I leave the phase out, or specific phase 2. However, when I specify phase 4, which is where rsub and STREAM_OUTPUT_BODY need to be accessed, they no longer trigger. Can anyone assist in getting a rule/chain to trigger when the FILENAME matches, but in phase 4 where STREAM_OUTPUT_BODY is also accessible?

Here is my sample code that simply will not work because of the phase 4 reference.

SecRule REQUEST_FILENAME "@streq /my-test-url" "id:99,phase:4,msg:'test rsub',pass,chain"
  SecRule STREAM_OUTPUT_BODY "@rsub s/</body>/My Mod</body>/"

If I switch to phase 2, then the first line will match, but the stream_output_body will not be found, and of course it will fail in phase 2 as a result. I'm at my end of figuring this one out. Any idea's would be greatly appreciated.

Please note that I do have the following settings in place as well.

SecResponseBodyAccess On
SecStreamOutBodyInspection On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimitAction ProcessPartial
SecContentInjection On
SecDisableBackendCompression On