Chaim, Yes, your answer definitely helps. Some follow-up questions:
1 - When you say ARGS contains the "extracted contents" of the body, is this equivalent to the entire body. If not, what exactly are the "extracted contents"? 2 - If my content is XML and I have disabled the XML parser, will ARGS or XML:/* contain anything? 3 - If my content is JSON and I have disabled the JSON parser, will ARGS contain anything? 4 - Is there a JSON-equivalent to XML:/*? Thanks, Jai On Mon, May 14, 2018 at 12:30 PM, Chaim Sanders <ch...@chaimsanders.com> wrote: > Hey Jai, > Great question, let me answer (FD) as best I can without looking at the > underlying code. > The pipe ('|') indicates that all of these collections should be searched > independently. The XML collection is only filled when the XML > requestbodyprocessor is enabled, currently this is done by default when the > content-type matches (https://github.com/ivanr/MadSecurity/blob/master/ > modsecurity.conf-recommended#L22). In this case as I said, ARGS and > ARGS_NAMES are also independently evaluated. The ARGS processor will > contain the extracted contents of the body when x-www-form-urlencoded is > used. Of course there are some cases where you may send other types (JSON > for instance). However, reviewing the whole body would cause unneeded false > positives typically. Let me know if that helps or if you have more concerns > :) > > On Mon, May 14, 2018 at 12:39 PM Jai Harpalani <jai.harpal...@mulesoft.com> > wrote: > >> Rules which include "XML:/*" are not evaluated against request bodies if >> the bodies are not XML. Is this a deficiency? In the example below, >> shouldn't the pattern be searched for in text bodies as well as XML bodies? >> Is there a reason the search is limited to XML bodies? >> >> SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options| >> connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" >> \ >> "msg:'HTTP Request Smuggling Attack',\ >> phase:request,\ >> id:921110,\ >> rev:'1',\ >> . . . >> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> > > > -- > -- > Chaim Sanders > http://www.ChaimSanders.com >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set