There are many OWASP CRS rules which have XML in the list of operators, but not REQUEST_BODY. An example of one is below.
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \ "phase:request,\ msg:'OS File Access Attempt',\ rev:'4',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ block,\ id:930120,\ . . . This rule is searching for patterns specified in lfi-os-files.data. It is not using Xpath expressions. The XML operator will be empty for non-xml requests or when the xml parser is disabled. In these cases, wouldn't we still want to search the request body for patterns specified in lfi-os-files.data? Is there a reason that the patterns are only searched for in the request body for XML requests?
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set