Re: [Owasp-modsecurity-core-rule-set] XML Parsing Question

Mon, 14 May 2018 13:39:25 -0700 

Chaim,

Yes, your answer definitely helps. Some follow-up questions:

 1 - When you say ARGS contains the "extracted contents" of the body, is
this equivalent to the entire body. If not, what exactly are the "extracted
contents"?
 2 - If my content is XML and I have disabled the XML parser, will ARGS or
XML:/* contain anything?
 3 - If my content is JSON and I have disabled the JSON parser, will ARGS
contain anything?
 4 - Is there a JSON-equivalent to XML:/*?

Thanks,
Jai

On Mon, May 14, 2018 at 12:30 PM, Chaim Sanders <ch...@chaimsanders.com>
wrote:

> Hey Jai,
> Great question, let me answer (FD) as best I can without looking at the
> underlying code.
> The pipe ('|') indicates that all of these collections should be searched
> independently. The XML collection is only filled when the XML
> requestbodyprocessor is enabled, currently this is done by default when the
> content-type matches (https://github.com/ivanr/MadSecurity/blob/master/
> modsecurity.conf-recommended#L22). In this case as I said, ARGS and
> ARGS_NAMES are also independently evaluated. The ARGS processor will
> contain the extracted contents of the body when x-www-form-urlencoded is
> used. Of course there are some cases where you may send other types (JSON
> for instance). However, reviewing the whole body would cause unneeded false
> positives typically. Let me know if that helps or if you have more concerns
> :)
>
> On Mon, May 14, 2018 at 12:39 PM Jai Harpalani <jai.harpal...@mulesoft.com>
> wrote:
>
>> Rules which include "XML:/*" are not evaluated against request bodies if
>> the bodies are not XML. Is this a deficiency? In the example below,
>> shouldn't the pattern be searched for in text bodies as well as XML bodies?
>> Is there a reason the search is limited to XML bodies?
>>
>> SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|
>> connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+"
>> \
>>     "msg:'HTTP Request Smuggling Attack',\
>>     phase:request,\
>>     id:921110,\
>>     rev:'1',\
>>      . . .
>>
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set@lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
>
>
> --
> --
> Chaim Sanders
> http://www.ChaimSanders.com
>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to