Re: [mod-security-users] XML Parsing
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] XML Parsing
|
From: Robert P. <rpa...@fe...> - 2018-04-24 15:55:13
|
Given that XML parsing shouldn't even occur unless the content type indicates an XML document in the body, is it much of a concern? How much XML traffic do you actually serve up? As for the usefulness of the XML variable within the rule variables, that itself might be a better question for the CRS mailing list/developers. On Tue, Apr 24, 2018 at 7:52 AM, Jai Harpalani via mod-security-users < mod...@li...> wrote: > As expected, parsing an XML request takes a significant amount of time. I > am trying to determine if there is any benefit to parsing XML requests if > the only rules I am using are from OWASP CRS. Are there any OWASP CRS rules > which require XML requests to be parsed? > > I see many rules with the following pattern: > > SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head| > options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" > \ > "msg:'HTTP Request Smuggling Attack',\ > phase:request,\ > id:921110,\ > rev:'1',\ > . . . > > These rules are not doing anything "XML-specific". For the rule above, the > operator can be applied to a plain text request. So, why pay the penalty of > parsing XML? > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
