|
From: Osama E. <oel...@gm...> - 2018-10-09 09:21:19
|
One approach you might consider is: - have a regex rule that checks if the document is likely "good" (has the string(s) that you expect). Drop / log anything else So you would drop records that don’t have the word setup for example. - have a rule that validates the document against an XML schema or DTD. ModSecurity has support for this (refer to this for an example: https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Mitigations-for-Ruby-on-Rails-XML-Exploits/ ) ModSecurity also has XPath support, so you can use XPath. Here is an example of what you can do: SecRule XML:/employees/employee/name/text() "!@rx ^[a-zA-Z ]{3,33}$" \ "id:2000,phase:2,deny,msg:'Invalid employee name'" So you can use XPath to validate that a given value is of a specific type or in a specific range You can also have a look at Chapter 14 in the ModSecurity Handbook 2nd Edition which covers XML Finally, if the above does not cover your use case, you could look at using Lua and one of the Lua XML parser libraries -- Osama Elnaggar On October 9, 2018 at 2:42:59 PM, Christian Folini ( chr...@ne...) wrote: Hello Ivan, That sounds like a call for a whitelisting rule set. You can take my basic recipe in tutorial 6, step 8 as a base and adopt as needed: https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/ Working with XML is a bit tricky and I have not really done whitelist extensively. So I am not sure you can really address each parameter accordingly for whitelisting through ModSec. But it's a start. Good luck! Christian On Tue, Oct 09, 2018 at 09:28:14AM +1100, Ivan Rodriguez wrote: > Hi there, > > So it happens we have a 3rd party API provider that we need to expose, the > API is quite extensive, we would like to basically block every single call > to the API except for a very specific call with some specific parameters, > for example > > block something like this > curl -s -d "<config classId='c' cookie='xx' />" > and allow only something like this > curl -s -d "<setup classId='x' cookie='xx' />" > > we have the full API reference so we could have one rule per api call that > we want to block, what would be the best way to achieve this ? on modsec 2 > ? > > Thanks in advance > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
