Re: [mod-security-users] Sanitize JSON Request / Response

[Robert P. <rpa...@fe...>]

Can you post a reproducible example (and what git commit you built against) to verify? Im afk and don't have access to my dev env but I did see that the current v2/master does sanitize args in json bodied noted with the "sanitizearg" rule action (assuming the body processing engine is configured appropriately of course)

Sent from my iPhone

> On Mar 20, 2018, at 14:25, Osama Elnaggar <oel...@gm...> wrote:
> 
> Are you sure about this?  I tried it with the format set to JSON and it still didn’t work.
> 
> If you are interesting in tackling this, below are some pointers Felipe sent a few months ago:
> 
> The general idea is that the content to be sanitized is placed under an apt_trable that is further checked while the logs are being generated. 
> 
> For instance: regarding the request headers, we have the log generation detailed here: 
> https://github.com/SpiderLabs/ModSecurity/blob/bb577950bf983811ff1892e87d815a1909c0b96b/apache2/msc_logging.c#L1211-L1236  
> 
> As of the "sanitization selection”, we have: 
> https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L1425-L1431  
> 
> The sanitizeMatch is a little bit more complex, but still uses the same logic: 
> https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L1350-L1423 
> 
> All the sanitize actions are bound here - 
> https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/re_actions.c#L2663-L2791 
> 
> Both JSON and XML have their own structures to hold their data, as you can see: 
> 
> - JSON: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/modsecurity.h#L391  
> - XML: https://github.com/SpiderLabs/ModSecurity/blob/923c3c67938da4de4f7f147816b6d2d6ffff5e6f/apache2/modsecurity.h#L389  
> 
> -- 
> Osama Elnaggar
> 
>> On March 21, 2018 at 5:41:12 AM, Robert Paprocki (rpa...@fe...) wrote:
>> 
>> Whups, wow, I really need to open my eyes :p
>> 
>> The patch above allows for sanitizing JSON request bodies only when SecAuditLogFormat is also set to JSON. I've pushed up https://github.com/SpiderLabs/ModSecurity/pull/1714 which enables sanitization of JSON request bodies in native audit log formats.
>> 
>>> On Thu, Mar 15, 2018 at 1:07 PM, Osama Elnaggar <oel...@gm...> wrote:
>>> I don't think the proposed patch actually works.  I tried patching v2.9.2 with it and even using v2 master but with no success.  Have you been able to get the patch working Robert?
>>> 
>>> -- 
>>> Osama Elnaggar
>>> 
>>>> On March 15, 2018 at 11:06:37 AM, Robert Paprocki (rpa...@fe...) wrote:
>>>> 
>>>> Have a look at 
>>>> 
>>>> https://github.com/SpiderLabs/ModSecurity/commit/f86de566d18dda6351ecba52d5e5f1d29ad02a12
>>>> 
>>>> JSON body audit log sanitization was only very recently introduced, it's not yet made its way to a formal release. (I need to check sources before opening my mouth :p).
>>>> 
>>>> So you can rebuild ModSecurity off `v2/master` if you want to test this functionality. :)
>>>> 
>>>>> On Wed, Mar 14, 2018 at 4:47 PM, Cristiano Galdino <cri...@ga...> wrote:
>>>>> Hello there!
>>>>> 
>>>>> If modsecurity can parse the values ​​of JSON payloads, why can not it sanitize?
>>>>> 
>>>>> This is non-sense for me.
>>>>> 
>>>>> Look this request:
>>>>> $> curl -H "Content-Type: application/json" -X POST -d '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate
>>>>> 
>>>>> and this is audit-log:
>>>>> 
>>>>> --9eb5dc70-A--
>>>>> [14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 127.0.0.1 80
>>>>> --9eb5dc70-B--
>>>>> POST /Authenticate HTTP/1.1
>>>>> Host: localhost
>>>>> User-Agent: curl/7.47.0
>>>>> Accept: */*
>>>>> Content-Type: application/json
>>>>> Content-Length: 36
>>>>> 
>>>>> --9eb5dc70-C--
>>>>> {"CVV":"123","blah":"/bin/bash"}
>>>>> --9eb5dc70-E--
>>>>> {"message":"Failed"}
>>>>> --9eb5dc70-F--
>>>>> HTTP/1.1 400 Bad Request
>>>>> Access-Control-Allow-Origin: *
>>>>> Content-Type: application/json
>>>>> Content-Length: 190
>>>>> X-Content-Type-Options: nosniff
>>>>> X-Frame-Options: sameorigin
>>>>> Connection: close
>>>>> 
>>>>> --9eb5dc70-H--
>>>>> Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"]
>>>>> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
>>>>> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found"] [tag "event-correlation"]
>>>>> Apache-Handler: proxy-server
>>>>> Stopwatch: 1521070655519139 8420 (- - -)
>>>>> Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, p4=129, p5=86, sr=35, sw=1, l=0, gc=0
>>>>> Response-Body-Transformed: Dechunked
>>>>> Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
>>>>> Server: Apache/2.4.18
>>>>> Sanitised-Args: "CVV".
>>>>> Engine-Mode: "DETECTION_ONLY"
>>>>> 
>>>>> --9eb5dc70-Z--
>>>>> 
>>>>> 
>>>>> Cristiano Galdino
>>>>> (61) 9860 1 9860
>>>>> cri...@ga...
>>>>> 
>>>>>> On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, wrote:
>>>>>> Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark
>>>>>> on JSON.
>>>>>> 
>>>>>> I confirm this does not work.
>>>>>> 
>>>>>> Sanitation is generally an issue as there is no sanitation in the alerts
>>>>>> written into the error-log. Even it is less severe as the audit log.
>>>>>> 
>>>>>> Best,
>>>>>> 
>>>>>> Christian
>>>>>> 
>>>>>> 
>>>>>>> On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote:
>>>>>>> Yep! My application use JSON payloads.
>>>>>>> Christian, please try it:
>>>>>>> $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}'
>>>>>>> [1]http://localhost/?id=/bin/bash
>>>>>>> 
>>>>>>> Cristiano Galdino
>>>>>>> (61) 9860 1 9860
>>>>>>> cri...@ga...
>>>>>>> 
>>>>>>> On 14 Mar 2018 18:38 -0300, Robert Paprocki
>>>>>>> <rpa...@fe...>, wrote:
>>>>>>> 
>>>>>>> Christian, you tested with a application/x-www-form-urlencoded
>>>>>>> request; Christiano's use case involves JSON-encoded bodies.
>>>>>>> I do not believe JSON request bodies can be translated into data
>>>>>>> collections that can have sanitize actions applied on them at this
>>>>>>> point.
>>>>>>> 
>>>>>>> On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini
>>>>>>> <[2]chr...@ne...> wrote:
>>>>>>> 
>>>>>>> Hello Cristiano,
>>>>>>> I did the following request:
>>>>>>> $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash"
>>>>>>> and got the following audit-log when using CRS3 (parameter exec
>>>>>>> triggering
>>>>>>> the writing of the audit log):
>>>>>>> --a7997f3d-A--
>>>>>>> [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1
>>>>>>> 50058 127.0.0.1 40080
>>>>>>> --a7997f3d-B--
>>>>>>> POST / HTTP/1.1
>>>>>>> Host: localhost
>>>>>>> User-Agent: curl/7.50.1
>>>>>>> Accept: */*
>>>>>>> Content-Length: 38
>>>>>>> Content-Type: application/x-www-form-urlencoded
>>>>>>> --a7997f3d-C--
>>>>>>> CVV=*******************&exec=/bin/bash
>>>>>>> --a7997f3d-F--
>>>>>>> HTTP/1.1 200 OK
>>>>>>> Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT
>>>>>>> ETag: "2d-5608741dac6fd"
>>>>>>> Accept-Ranges: bytes
>>>>>>> Content-Length: 45
>>>>>>> Content-Type: text/html
>>>>>>> ...
>>>>>>> I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled
>>>>>>> according to
>>>>>>> the tutorials on [3]netnea.com.
>>>>>>> My ModSec Configuration:
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> SecRuleEngine On
>>>>>>> SecRequestBodyAccess On
>>>>>>> SecRequestBodyLimit 10000000
>>>>>>> SecRequestBodyNoFilesLimit 64000
>>>>>>> SecResponseBodyAccess On
>>>>>>> SecResponseBodyLimit 10000000
>>>>>>> SecTmpDir /tmp/
>>>>>>> SecDataDir /tmp/
>>>>>>> SecUploadDir /tmp/
>>>>>>> SecDebugLog /apache/logs/modsec_debug.log
>>>>>>> SecDebugLogLevel 3
>>>>>>> SecAuditEngine RelevantOnly
>>>>>>> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
>>>>>>> SecAuditLogParts ABEFHIJZ
>>>>>>> SecAuditLogType Concurrent
>>>>>>> SecAuditLog /apache/logs/modsec_audit.log
>>>>>>> SecAuditLogStorageDir /apache/logs/audit/
>>>>>>> SecPcreMatchLimit 500000
>>>>>>> SecPcreMatchLimitRecursion 500000
>>>>>>> SecDefaultAction "phase:2,pass,log"
>>>>>>> # == ModSec Rule ID Namespace Definition
>>>>>>> # Service-specific before Core-Rules: 10000 - 49999
>>>>>>> # Service-specific after Core-Rules: 50000 - 79999
>>>>>>> # Locally shared rules: 80000 - 99999
>>>>>>> # - Performance: 90000 - 90199
>>>>>>> # Recommended ModSec Rules (few): 200000 - 200010
>>>>>>> # OWASP Core-Rules: 900000 - 999999
>>>>>>> # === ModSec timestamps at the start of each phase (ids: 90000 -
>>>>>>> 90009)
>>>>>>> SecAction "id:'90000',phase:1,nolog,pass,setvar:TX.
>>>>>>> ModSecTimestamp1start=%{DURATION}"
>>>>>>> SecAction "id:'90001',phase:2,nolog,pass,setvar:TX.
>>>>>>> ModSecTimestamp2start=%{DURATION}"
>>>>>>> SecAction "id:'90002',phase:3,nolog,pass,setvar:TX.
>>>>>>> ModSecTimestamp3start=%{DURATION}"
>>>>>>> SecAction "id:'90003',phase:4,nolog,pass,setvar:TX.
>>>>>>> ModSecTimestamp4start=%{DURATION}"
>>>>>>> SecAction "id:'90004',phase:5,nolog,pass,setvar:TX.
>>>>>>> ModSecTimestamp5start=%{DURATION}"
>>>>>>> # SecRule REQUEST_FILENAME "@beginsWith /"
>>>>>>> "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv:
>>>>>>> write_perflog"
>>>>>>> # === ModSec Recommended Rules (in modsec src package) (ids:
>>>>>>> 200000-200010)
>>>>>>> SecRule REQUEST_HEADERS:Content-Type "text/xml"
>>>>>>> "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:
>>>>>>> requestBodyProcessor=XML"
>>>>>>> SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none,
>>>>>>> deny,status:400,log,msg:'Failed to parse request body.',\
>>>>>>> logdata:'%{reqbody_error_msg}',severity:2"
>>>>>>> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
>>>>>>> "id:'200002',phase:2,t:none,log,deny,status:403, \
>>>>>>> msg:'Multipart request body failed strict validation: \
>>>>>>> PE %{REQBODY_PROCESSOR_ERROR}, \
>>>>>>> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
>>>>>>> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
>>>>>>> DB %{MULTIPART_DATA_BEFORE}, \
>>>>>>> DA %{MULTIPART_DATA_AFTER}, \
>>>>>>> HF %{MULTIPART_HEADER_FOLDING}, \
>>>>>>> LF %{MULTIPART_LF_LINE}, \
>>>>>>> SM %{MULTIPART_MISSING_SEMICOLON}, \
>>>>>>> IQ %{MULTIPART_INVALID_QUOTING}, \
>>>>>>> IP %{MULTIPART_INVALID_PART}, \
>>>>>>> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
>>>>>>> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
>>>>>>> SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none,
>>>>>>> deny,status:500,msg:'ModSecurity internal error flagged:
>>>>>>> %{MATCHED_VAR_NAME}'"
>>>>>>> # === ModSecurity Rules (ids: 900000-999999)
>>>>>>> # === ModSec Core Rules Base Configuration (ids: 900001-900021)
>>>>>>> Include /home/dune73/data/git/crs-official/crs-setup.conf.
>>>>>>> example
>>>>>>> SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_
>>>>>>> anomaly_score_threshold=500,setvar:tx.outbound_anomaly_
>>>>>>> score_threshold=500"
>>>>>>> SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx.
>>>>>>> paranoia_level=4"
>>>>>>> # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by
>>>>>>> id of ignored rule (ids: 10000-49999)
>>>>>>> # SecRule ARGS:a "."
>>>>>>> "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'"
>>>>>>> # SecRule ARGS_GET:a "."
>>>>>>> "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'"
>>>>>>> # SecRule ARGS_POST:a "."
>>>>>>> "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'"
>>>>>>> # SecRule REQUEST_URI "."
>>>>>>> "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'"
>>>>>>> # SecRule REQUEST_HEADERS:User-Agent "."
>>>>>>> "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'"
>>>>>>> SecRule ARGS:b "." "id:1006,phase:2,pass,log,
>>>>>>> auditlog,msg:'XXX6: %{MATCHED_VAR}'"
>>>>>>> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV"
>>>>>>> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
>>>>>>> # === ModSecurity Core Rules Inclusion
>>>>>>> Include /home/dune73/data/git/crs-official/rules/*.conf
>>>>>>> # === ModSec Core Rules: Startup Time Rules Exclusions
>>>>>>> # === ModSec timestamps at the end of each phase (ids: 90010 -
>>>>>>> 90019)
>>>>>>> SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.
>>>>>>> ModSecTimestamp1end=%{DURATION}"
>>>>>>> SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.
>>>>>>> ModSecTimestamp2end=%{DURATION}"
>>>>>>> SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.
>>>>>>> ModSecTimestamp3end=%{DURATION}"
>>>>>>> SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.
>>>>>>> ModSecTimestamp4end=%{DURATION}"
>>>>>>> SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.
>>>>>>> ModSecTimestamp5end=%{DURATION}"
>>>>>>> # === ModSec performance calculations and variable export (ids:
>>>>>>> 90100 - 90199)
>>>>>>> SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_
>>>>>>> modsecinbound=%{PERF_PHASE1}"
>>>>>>> SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_
>>>>>>> modsecinbound=+%{PERF_PHASE2}"
>>>>>>> SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_
>>>>>>> application=%{TX.ModSecTimestamp3start}"
>>>>>>> SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_
>>>>>>> application=-%{TX.ModSecTimestamp2end}"
>>>>>>> SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_
>>>>>>> modsecoutbound=%{PERF_PHASE3}"
>>>>>>> SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_
>>>>>>> modsecoutbound=+%{PERF_PHASE4}"
>>>>>>> SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{
>>>>>>> TX.perf_modsecinbound}"
>>>>>>> SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=%
>>>>>>> {TX.perf_application}"
>>>>>>> SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{
>>>>>>> TX.perf_modsecoutbound}"
>>>>>>> SecAction "id:'90109',phase:5,pass,nolog,setenv:
>>>>>>> ModSecAnomalyScoreIn=%{TX.anomaly_score}"
>>>>>>> SecAction "id:'90110',phase:5,pass,nolog,setenv:
>>>>>>> ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
>>>>>>> # === End ModSec Configuration
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> So I think this generally works. If it does not for you, then please
>>>>>>> try and
>>>>>>> reproduce the behaviour on the latest ModSec version of the 2.9
>>>>>>> series and
>>>>>>> open a bug report in case.
>>>>>>> Ahoj,
>>>>>>> Christian
>>>>>>>> On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote:
>>>>>>>> Hi Christian!
>>>>>>>> Modsecurity: 2.9.0-1 (from Ubuntu repository)
>>>>>>>> Apache 2.4.18-2ubuntu3.5
>>>>>>>> Tks!
>>>>>>>> 
>>>>>>>> Cristiano Galdino
>>>>>>>> [4]cri...@ga...
>>>>>>>> 
>>>>>>>> On 14 Mar 2018 17:55 -0300, Christian Folini
>>>>>>>> <[5]chr...@ne...>, wrote:
>>>>>>>> 
>>>>>>>> Hello Christiano,
>>>>>>>> What platform are you using? (-> ModSec version, Apache /
>>>>>>> NGINX /
>>>>>>>> IIS?)
>>>>>>>> Ahoj,
>>>>>>>> Christian
>>>>>>>> On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino
>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> Hello!
>>>>>>>> I created a rule in ModSecurity to sanitize param CVV (credit
>>>>>>> card)
>>>>>>>> but
>>>>>>>> it is not working.
>>>>>>>> Samples:
>>>>>>>> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV”
>>>>>>>> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
>>>>>>>> This prevents me from using modsecurity because PCI does not
>>>>>>> allow
>>>>>>>> CVV
>>>>>>>> to be stored.
>>>>>>>> I found this issue without response.
>>>>>>>> [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715
>>>>>>>> What can I do?
>>>>>>>> Cristiano Galdino
>>>>>>>> [7]cri...@ga...
>>>>>>>> References
>>>>>>>> 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715
>>>>>>>> 
>>>>>>>> ------------------------------------------------------------
>>>>>>> --------
>>>>>>>> ----------
>>>>>>>> Check out the vibrant tech community on one of the world's
>>>>>>> most
>>>>>>>> engaging tech sites, Slashdot.org!
>>>>>>> [9]http://sdm.link/slashdot
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> mod-security-users mailing list
>>>>>>>> [10]mod...@li...
>>>>>>>> [11]https://lists.sourceforge.net/
>>>>>>> lists/listinfo/mod-security-users
>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's
>>>>>>>> SpiderLabs:
>>>>>>>> [12]http://www.modsecurity.org/projects/commercial/rules/
>>>>>>>> [13]http://www.modsecurity.org/projects/commercial/support/
>>>>>>>> 
>>>>>>>> --
>>>>>>>> [14]https://www.feistyduck.com/training/modsecurity-training-
>>>>>>> course
>>>>>>>> [15]https://www.feistyduck.com/books/modsecurity-handbook/
>>>>>>>> mailto:[16]chr...@ne...
>>>>>>>> twitter: @ChrFolini
>>>>>>>> ------------------------------------------------------------
>>>>>>> --------
>>>>>>>> ----------
>>>>>>>> Check out the vibrant tech community on one of the world's
>>>>>>> most
>>>>>>>> engaging tech sites, Slashdot.org!
>>>>>>> [17]http://sdm.link/slashdot
>>>>>>>> _______________________________________________
>>>>>>>> mod-security-users mailing list
>>>>>>>> [18]mod...@li...
>>>>>>>> [19]https://lists.sourceforge.net/
>>>>>>> lists/listinfo/mod-security-users
>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's
>>>>>>>> SpiderLabs:
>>>>>>>> [20]http://www.modsecurity.org/projects/commercial/rules/
>>>>>>>> [21]http://www.modsecurity.org/projects/commercial/support/
>>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>> engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot
>>>>>>>> _______________________________________________
>>>>>>>> mod-security-users mailing list
>>>>>>>> [23]mod...@li...
>>>>>>>> [24]https://lists.sourceforge.net/lists/listinfo/mod-security-
>>>>>>> users
>>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's
>>>>>>> SpiderLabs:
>>>>>>>> [25]http://www.modsecurity.org/projects/commercial/rules/
>>>>>>>> [26]http://www.modsecurity.org/projects/commercial/support/
>>>>>>> --
>>>>>>> [27]https://www.feistyduck.com/training/modsecurity-training-course
>>>>>>> [28]https://www.feistyduck.com/books/modsecurity-handbook/
>>>>>>> mailto:[29]chr...@ne...
>>>>>>> twitter: @ChrFolini
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot
>>>>>>> _______________________________________________
>>>>>>> mod-security-users mailing list
>>>>>>> [31]mod...@li...
>>>>>>> [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's
>>>>>>> SpiderLabs:
>>>>>>> [33]http://www.modsecurity.org/projects/commercial/rules/
>>>>>>> [34]http://www.modsecurity.org/projects/commercial/support/
>>>>>>> 
>>>>>>> --------------------------------------------------------------------
>>>>>>> ----------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>> _______________________________________________
>>>>>>> mod-security-users mailing list
>>>>>>> mod...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's
>>>>>>> SpiderLabs:
>>>>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>>>> 
>>>>>>> References
>>>>>>> 
>>>>>>> 1. http://localhost:3000/api/login
>>>>>>> 2. mailto:chr...@ne...
>>>>>>> 3. http://netnea.com/
>>>>>>> 4. mailto:cri...@ga...
>>>>>>> 5. mailto:chr...@ne...
>>>>>>> 6. https://github.com/SpiderLabs/ModSecurity/issues/715
>>>>>>> 7. mailto:cri...@ga...
>>>>>>> 8. https://github.com/SpiderLabs/ModSecurity/issues/715
>>>>>>> 9. http://sdm.link/slashdot
>>>>>>> 10. mailto:mod...@li...
>>>>>>> 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>>> 12. http://www.modsecurity.org/projects/commercial/rules/
>>>>>>> 13. http://www.modsecurity.org/projects/commercial/support/
>>>>>>> 14. https://www.feistyduck.com/training/modsecurity-training-course
>>>>>>> 15. https://www.feistyduck.com/books/modsecurity-handbook/
>>>>>>> 16. mailto:chr...@ne...
>>>>>>> 17. http://sdm.link/slashdot
>>>>>>> 18. mailto:mod...@li...
>>>>>>> 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>>> 20. http://www.modsecurity.org/projects/commercial/rules/
>>>>>>> 21. http://www.modsecurity.org/projects/commercial/support/
>>>>>>> 22. http://sdm.link/slashdot
>>>>>>> 23. mailto:mod...@li...
>>>>>>> 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>>> 25. http://www.modsecurity.org/projects/commercial/rules/
>>>>>>> 26. http://www.modsecurity.org/projects/commercial/support/
>>>>>>> 27. https://www.feistyduck.com/training/modsecurity-training-course
>>>>>>> 28. https://www.feistyduck.com/books/modsecurity-handbook/
>>>>>>> 29. mailto:chr...@ne...
>>>>>>> 30. http://sdm.link/slashdot
>>>>>>> 31. mailto:mod...@li...
>>>>>>> 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>>> 33. http://www.modsecurity.org/projects/commercial/rules/
>>>>>>> 34. http://www.modsecurity.org/projects/commercial/support/
>>>>>> 
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> mod-security-users mailing list
>>>>>>> mod...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> https://www.feistyduck.com/training/modsecurity-training-course
>>>>>> https://www.feistyduck.com/books/modsecurity-handbook/
>>>>>> mailto:chr...@ne...
>>>>>> twitter: @ChrFolini
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> mod-security-users mailing list
>>>>>> mod...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> mod-security-users mailing list
>>>>> mod...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>>> http://www.modsecurity.org/projects/commercial/support/
>>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
>>>> mod-security-users mailing list
>>>> mod...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>