Re: [mod-security-users] Question about ARGS Variable

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Okay, here's a different question. This may not be the appropriate place to
ask, but I'll give it a shot.

There are many OWASP CRS rules which have XML in the list of operators, but
not REQUEST_BODY. An example of one is below.

SecRule
REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"@pmf lfi-os-files.data" \
    "phase:request,\
    msg:'OS File Access Attempt',\
    rev:'4',\
    ver:'OWASP_CRS/3.0.0',\
    maturity:'9',\
    accuracy:'9',\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
    block,\
    id:930120,\
. . .

This rule is searching for patterns specified in lfi-os-files.data. It is
not using Xpath expressions. The XML operator will be empty for non-xml
requests or when the xml parser is disabled. In these cases, wouldn't we
still want to search the request body for patterns specified in
lfi-os-files.data? Is there a reason that the patterns are only searched
for in the request body for XML requests?

On Wed, Jan 2, 2019 at 12:58 PM Reindl Harald <h.r...@th...>
wrote:

>
>
> Am 02.01.19 um 19:54 schrieb Jai Harpalani via mod-security-users:
> > Isn't the "POST Payload" equivalent to the body? If not, what exactly is
> > the "POST Payload"?
>
> hell how can any random XML stuff be a ARGUMENT and how do you imagine
> this to handeled performance wise?
>
> is it a post-param like <input type="text" anme"=arg" value"=whatever">
> no, it is not
>
> > On Wed, Jan 2, 2019 at 12:29 PM Reindl Harald <h.r...@th...
> > <mailto:h.r...@th...>> wrote:
> >
> >
> >
> >     Am 02.01.19 um 18:55 schrieb Jai Harpalani via mod-security-users:
> >     > User-documentation states:
> >     >
> >     > "ARGS is a collection and can be used on its own (means all
> arguments
> >     > including the POST Payload)..."
> >     >
> >     > Based on my testing, it does not appear that ARGS is including the
> >     POST
> >     > payload. I am sending a POST request with the body shown below. I
> >     expect
> >     > it to trigger Rule 930120, but it does not.
> >
> >     args and body are different worlds by definition
> >
> >
> >     > Request Body:
> >     >
> >     > <?xml version='1.0' encoding='UTF-8'?>
> >     > <soapenv:Envelope
> >     xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> >     >      <soapenv:Body>
> >     >           <ns1:echo xmlns:ns1="http://example1.org/example1">
> >     >                 <Text>hello .bashrc</Text>
> >     >           </ns1:echo>
> >     >      </soapenv:Body>
> >     > </soapenv:Envelope>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>