|
From: Manuel S. <spa...@gm...> - 2019-01-02 21:42:02
|
The content of the request body is parsed f there is a body processor enabled, which only happens by default in two cases ( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ctl ) ``` The requestBodyProcessor option allows you to configure the request body processor. By default, ModSecurity will use the URLENCODED and MULTIPART processors to process an application/x-www-form-urlencoded and a multipart/form-data body, respectively. Other two processors are also supported: JSON and XML, but they are never used implicitly. Instead, *you must* tell ModSecurity to use it by placing a few rules in the REQUEST_HEADERS processing phase. ``` This means that if your content is XML you must have a rule in phase 1 that forces the engine to parse it, same applies to JSON and any other content-type https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#REQBODY_PROCESSOR This also means that if the content-type is something else than ` application/x-www-form-urlencoded` it will not populate the ARGS collection! That is the default in most cases. Now XML use its own collection while json will populate the same collection as urlencoded. You may also want to read https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRequestBodyAccess Happy new year! El mié., 2 ene. 2019 a las 13:50, Robert Paprocki (< rpa...@fe...>) escribió: > Hey Jai, > > I believe ARGS is only filled with the request body with the request is a > urlencoded. Because ARGS and friends are treated as tabular variables, > ModSecurity won't attempt to parse an XML body and at it into the ARGS or > ARGS_POST variables, because there's no sane way to interpolate the > document into key-value paired data. > > On Wed, Jan 2, 2019 at 10:21 AM Jai Harpalani via mod-security-developers < > mod...@li...> wrote: > >> User-documentation states: >> >> "ARGS is a collection and can be used on its own (means all arguments >> including the POST Payload)..." >> >> Based on my testing, it does not appear that ARGS is including the POST >> payload. I am sending a POST request with the body shown below. I expect it >> to trigger Rule 930120, but it does not. >> >> Request Body: >> >> <?xml version='1.0' encoding='UTF-8'?> >> <soapenv:Envelope xmlns:soapenv=" >> http://schemas.xmlsoap.org/soap/envelope/"> >> <soapenv:Body> >> <ns1:echo xmlns:ns1="http://example1.org/example1"> >> <Text>hello .bashrc</Text> >> </ns1:echo> >> </soapenv:Body> >> </soapenv:Envelope> >> >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
