Colin, Please try and include your whitelist.conf _after_ the owasp_crs.
Ahoj, Christian On Tue, Apr 26, 2016 at 06:34:33PM +0000, Colin MacAllister wrote: > I have a cookie by the name of CFAUTHORIZATION_cfadmin which is triggering a > sql injection OWASP base rule. I have in the past successfully circumvented > it with > > SecRuleUpdateTargetById 981318 > "!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfadmin" > > I have this rule in a file called whitelist.conf, and this is being included > in my modsecurity_iis.conf file: > > Include modsecurity.conf > Include modsecurity_crs_10_setup.conf > Include whitelist.conf > Include owasp_crs\base_rules\*.conf > #Include pbncustom.conf > > Modsecurity_iis.conf is being referred to as the base config file in the IIS > directive in the application host file like this: > > <ModSecurity enabled="true" configFile="C:\Program > Files\ModSecurity IIS\modsecurity_iis.conf" /> > > But when I make a request, each of the http gets in a request triggers the > warning about the CFAUTHORIZATION_cfadmin cookie. (The problem is that the > value for the cookie has double quotes around it, which is as far as I know > not changeable.) > > [client 127.0.0.1:51619] ModSecurity: Access denied with code > 403 (phase 2). Pattern match > > "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" > at > REQUEST_COOKIES:CFAUTHORIZATION_cfadmin. > > Does anyone know what might be going on here? I had some confusion about the > SecRuleUpdateTargetByID directive, since some sources made Target plural, and > some had it in singular – even in the same resource. > > Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- mailto:[email protected] http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
