[Owasp-modsecurity-core-rule-set] gwt-rpc form data parsing in modsecurity
Brian.Rectanus at breach.com
Mon May 3 17:29:10 EDT 2010
Moving this over to users list. See below...
On 05/03/2010 02:05 PM, Kevin Coward wrote:
> I have questions regarding the response to a previous response regarding
> content types supported by ModSecurity.
> �ModSecurity only supports HTTP form based and XML based RPC nativly[sic].
> However, if you have developers, you can add an extension to ModSecurity
> to parse about anything.�
> First, is the suggested mode of mod_security extension
> �configuration-based� or �code-/module-based�?
> Is it possible to �extend� the available types parsed by ModSecurity via
> configuration? (Candidate configuration rule follows):
Not currently. But plans are to extend Lua support to be able to do
this without compiled code.
> *# Parse requests with Content-Type "text/plain" as URLENCODED*
> *SecRule REQUEST_CONTENT_TYPE ^text/plain
How does that "extend" available type? You just want to parse that
particular type as URLENCODED? Then that should work provided you do it
> Finally, could the solution require something as involved as writing a
> custom Apache module defining a custom type of REQUESTBODY_PROCESSOR as
> an �operator� extension?
> I am ultimately trying to use mod_security to parse GWT-RPC form data to
> leverage existing core and custom rules.
The problem is that CRS will not specify the custom target, operator or
transformation no matter what you do.
> Any explicit guidance on this would be considered helpful.
Probably easiest to extend this as a target that produces a custom
collection (similar to how ARGS are produced now). Then your rules
could just be:
SecRule GWTRPC:fieldname ...
But this does not solve the CRS issue as CRS will not be looking at GWTRPC.
Best, would be to patch ModSecurity to add a new request body processor.
This would parse into ARGS and work with CRS existing rules, etc.
Currently this is not available as an extension, but it should be.
Perhaps a 2.6 feature to add (probably not that hard to add it) so that
you can write new body parsers.
If you are serious about adding GWT-RPC support, then I can work with
you on it and get the proper hooks into the 2.6 branch. It would be an
interesting addition to ModSecurity (even if only a custom extension for
More information about the Owasp-modsecurity-core-rule-set