Hi, Wa have this request for a web service :
http://www.mywebsite.com/webservice?request=%3Cxmlrequest%3E%3Cheader%3E%3Cutilisateur%3Exxx%3C/utilisateur%3E%3Cmotdepasse%3Exxx%3C/motdepasse%3E%3Crequete%3Esearch%3C/requete%3E%3Clangage%3EFR%3C/langage%3E%3Cpays%3Exx%3C/pays%3E%3C/header%3E%3Cbody%3E%3Cnbrparpage%3Exx%3C/nbrparpage%3E%3Cpage%3E2%3C/page%3E%3Ctyperecherche%3Exx%3C/typerecherche%3E%3C/body%3E%3C/xmlrequest%3E mod_security forbidden this request log : Message: Access denied with code 403 (phase 2). Pattern match "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not ..." at ARGS:request. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: utilisateur> xxxx found within ARGS:request: <xmlrequest><header><utilisateur> xxxx </utilisateur><motdepasse> xxxx </motdepasse><requete>search</requete><langage> xx </langage><pays> xxx </pays></header><body><nbrparpage>10</nbrparpage><page>2</page><typerecherche> Action: Intercepted (phase 2) Apache-Handler: proxy-server Stopwatch: 1427968010902873 5141 (- - -) Stopwatch2: 1427968010902873 5141; combined=1880, p1=97, p2=1759, p3=0, p4=0, p5=24, sr=26, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9. Server: Apache Engine-Mode: "ENABLED" I tired : <LocationMatch /webservice> SecRuleRemoveByID 950901 </LocationMatch> But I 'm afraid its not Safely How I can allow my web services Safely ? Thank you.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
