There are many OWASP CRS rules which have XML in the list of operators, but
not REQUEST_BODY. An example of one is below.
SecRule
REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"@pmf lfi-os-files.data" \
"phase:request,\
msg:'OS File Access Attempt',\
rev:'4',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
block,\
id:930120,\
. . .
This rule is searching for patterns specified in lfi-os-files.data. It is
not using Xpath expressions. The XML operator will be empty for non-xml
requests or when the xml parser is disabled. In these cases, wouldn't we
still want to search the request body for patterns specified in
lfi-os-files.data? Is there a reason that the patterns are only searched
for in the request body for XML requests?
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
