Thread: [mod-security-users] Decoding of argument names and values
Brought to you by:
victorhora,
zimmerletw
From: Surya B. <sur...@ya...> - 2007-07-31 16:11:23
|
=0AHi,=0A=0AI believe POST fields can be encoded using multiple encoding me= thods such as - UTF8, Hex, %u, UTF-16, Full width. =0ADoes Mod-Security dec= ode the fields before checking the rules? If so, can somebody please give m= e list of supported encoding methods?=0A=0AThanks=0ASurya=0A=0A=0A=0A=0A=0A= =0A_________________________________________________________________= ___________________=0ATake the Internet to Go: Yahoo!Go puts the Internet i= n your pocket: mail, news, photos & more. =0Ahttp://mobile.yahoo.com/go?ref= er=3D1GNXIC |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-07-31 16:38:28
|
ModSecurity has a number of Transformation functions that can be applied to the rules - http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsec urity2-apache-reference.html#06-transformation-functions --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Surya Batchu > Sent: Tuesday, July 31, 2007 12:11 PM > To: mod...@li... > Subject: [mod-security-users] Decoding of argument names and values >=20 >=20 > Hi, >=20 > I believe POST fields can be encoded using multiple encoding methods such > as - UTF8, Hex, %u, UTF-16, Full width. > Does Mod-Security decode the fields before checking the rules? If so, can > somebody please give me list of supported encoding methods? >=20 > Thanks > Surya >=20 >=20 >=20 >=20 >=20 >=20 > ________________________________________________________________________ __ > __________ > Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, > news, photos & more. > http://mobile.yahoo.com/go?refer=3D1GNXIC >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: Ofer S. <OferS@Breach.com> - 2007-07-31 16:47:22
|
Just to add to that: + Mod security automatically performs URL decoding (many times called hex decoding) on post data since this is specified in the standard for post parameters. + The other transformation functions are not applied by default and you have to explicitly specify which one you want for each rule. You may also select multiple transformation functions, in which case they would all be applied and after the last one the rule test would be applied. You can use the multiMatch action to perform the test after each transformation function. ~ Ofer > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Ryan Barnett > Sent: Tuesday, July 31, 2007 9:38 AM > To: Surya Batchu; mod...@li... > Subject: Re: [mod-security-users] Decoding of argument names and values >=20 > ModSecurity has a number of Transformation functions that can be > applied > to the rules - > http://www.modsecurity.org/documentation/modsecurity- > apache/2.1.0/modsec > urity2-apache-reference.html#06-transformation-functions >=20 > -- > Ryan C. Barnett > ModSecurity Community Manager > Breach Security: Director of Application Security Training > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache >=20 > > -----Original Message----- > > From: mod...@li... [mailto:mod- > > sec...@li...] On Behalf Of Surya > Batchu > > Sent: Tuesday, July 31, 2007 12:11 PM > > To: mod...@li... > > Subject: [mod-security-users] Decoding of argument names and values > > > > > > Hi, > > > > I believe POST fields can be encoded using multiple encoding methods > such > > as - UTF8, Hex, %u, UTF-16, Full width. > > Does Mod-Security decode the fields before checking the rules? If so, > can > > somebody please give me list of supported encoding methods? > > > > Thanks > > Surya > > > > > > > > > > > > > > > _______________________________________________________________________ > _ > __ > > __________ > > Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: > mail, > > news, photos & more. > > http://mobile.yahoo.com/go?refer=3D1GNXIC > > > > > ----------------------------------------------------------------------- > - > - > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a > browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 > ----------------------------------------------------------------------- > -- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |