This may be an older way to get the job done, but I typically would whitelist that specific Argument in a rule.
SecRule REQUEST_URI "@beginsWith /webservice" "phase:1,t:none,t:lowercase,pass,nolog,ctl:ruleRemoveTargetById=950901;ARGS:request" On Sat, Apr 4, 2015 at 1:49 AM Ilyass Kaouam <[email protected]> wrote: > Hi, > > Wa have this request for a web service : > > > http://www.mywebsite.com/webservice?request=%3Cxmlrequest%3E%3Cheader%3E%3Cutilisateur%3Exxx%3C/utilisateur%3E%3Cmotdepasse%3Exxx%3C/motdepasse%3E%3Crequete%3Esearch%3C/requete%3E%3Clangage%3EFR%3C/langage%3E%3Cpays%3Exx%3C/pays%3E%3C/header%3E%3Cbody%3E%3Cnbrparpage%3Exx%3C/nbrparpage%3E%3Cpage%3E2%3C/page%3E%3Ctyperecherche%3Exx%3C/typerecherche%3E%3C/body%3E%3C/xmlrequest%3E > > > mod_security forbidden this request log : > > > > Message: Access denied with code 403 (phase 2). Pattern match > "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not > ..." at ARGS:request. [file > "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL > Tautology Detected."] [data "Matched Data: utilisateur> > xxxx > found within ARGS:request: <xmlrequest><header><utilisateur> > xxxx > </utilisateur><motdepasse> > xxxx > </motdepasse><requete>search</requete><langage> > xx > </langage><pays> > xxx > > </pays></header><body><nbrparpage>10</nbrparpage><page>2</page><typerecherche> > > Action: Intercepted (phase 2) > > Apache-Handler: proxy-server > > Stopwatch: 1427968010902873 5141 (- - -) > > Stopwatch2: 1427968010902873 5141; combined=1880, p1=97, p2=1759, p3=0, > p4=0, p5=24, sr=26, sw=0, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); > OWASP_CRS/2.2.9. > > Server: Apache > > Engine-Mode: "ENABLED" > > > I tired : > > > <LocationMatch /webservice> > > SecRuleRemoveByID 950901 > > </LocationMatch> > > But I > 'm afraid > its not > Safely > > How I can allow my web services Safely > ? > > Thank you. > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
