|
From: Manuel S. <spa...@gm...> - 2019-01-16 12:33:46
|
Hi Davy, Have you reviewed the owasp modsecurity core rule set project? https://github.com/SpiderLabs/owasp-modsecurity-crs Cheers! Sent from my iPhone > On 16 Jan 2019, at 02:51, Davy Gunarso via mod-security-users <mod...@li...> wrote: > > > Hello, > > Regarding Mod Security, I wonder if it is possible to write custom rule in mod security special for SQLIA attacked? > > For example: custom rule special for SQLIA Piggy backed tailed or custom rule special for SQLIA tautologies. > > Is that possible? > > Thanks in advance, > Davy > > On Thursday, January 3, 2019, 4:43:36 AM GMT+7, Manuel Spartan <spa...@gm...> wrote: > > > The content of the request body is parsed f there is a body processor enabled, which only happens by default in two cases (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ctl) > ``` > The requestBodyProcessor option allows you to configure the request body processor. By default, ModSecurity will use the URLENCODED and MULTIPART processors to process an application/x-www-form-urlencoded and a multipart/form-data body, respectively. Other two processors are also supported: JSON and XML, but they are never used implicitly. Instead, you must tell ModSecurity to use it by placing a few rules in the REQUEST_HEADERS processing phase. > ``` > This means that if your content is XML you must have a rule in phase 1 that forces the engine to parse it, same applies to JSON and any other content-type https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#REQBODY_PROCESSOR > > This also means that if the content-type is something else than `application/x-www-form-urlencoded` it will not populate the ARGS collection! That is the default in most cases. > > Now XML use its own collection while json will populate the same collection as urlencoded. > You may also want to read https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRequestBodyAccess > > Happy new year! > > El mié., 2 ene. 2019 a las 13:50, Robert Paprocki (<rpa...@fe...>) escribió: > Hey Jai, > > I believe ARGS is only filled with the request body with the request is a urlencoded. Because ARGS and friends are treated as tabular variables, ModSecurity won't attempt to parse an XML body and at it into the ARGS or ARGS_POST variables, because there's no sane way to interpolate the document into key-value paired data. > > On Wed, Jan 2, 2019 at 10:21 AM Jai Harpalani via mod-security-developers <mod...@li...> wrote: > User-documentation states: > > "ARGS is a collection and can be used on its own (means all arguments including the POST Payload)..." > > Based on my testing, it does not appear that ARGS is including the POST payload. I am sending a POST request with the body shown below. I expect it to trigger Rule 930120, but it does not. > > Request Body: > > <?xml version='1.0' encoding='UTF-8'?> > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> > <soapenv:Body> > <ns1:echo xmlns:ns1="http://example1.org/example1"> > <Text>hello .bashrc</Text> > </ns1:echo> > </soapenv:Body> > </soapenv:Envelope> > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
