[Mod-security-developers] rule 921170
Brought to you by:
victorhora,
zimmerletw
From: <877...@qq...> - 2022-02-23 08:09:31
|
hi, SecRule ARGS_NAMES "@rx ." \ "id:921170,\ phase:2,\ pass,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ ver:'OWASP_CRS/3.4.0-dev',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" The rule generate only one variable named TX.paramcount_ARGS_NAMES, and assigned the count item in ARGS_NAMES. but this should not be the target I think. because the target is to find duplicate parameters. It should generate a different variable named TX.paramcount_xxx for every variable name, xxx is the variable name. The value is TX.paramcount_xxx is the count of xxx in ARGS_NAMES. same variable name can exist in ARGS_NAMES multiple times. for example http://www.baidu.com?ab=3&ab=6 my understanding is wrong? huiming thanks |