[Owasp-modsecurity-core-rule-set] gwt-rpc form data parsing in modsecurity

[Brian Rectanus]

Moving this over to users list.  See below...

On 05/03/2010 02:05 PM, Kevin Coward wrote:
>  
> 
> I have questions regarding the response to a previous response regarding
> content types supported by ModSecurity.
> 
>  
> 
> �ModSecurity only supports HTTP form based and XML based RPC nativly[sic].
> 
> However, if you have developers, you can add an extension to ModSecurity
> to parse about anything.�
> 
>  
> 
> First, is the suggested mode of mod_security extension
> �configuration-based� or �code-/module-based�?

Code

> Is it possible to �extend� the available types parsed by ModSecurity via
> configuration? (Candidate configuration rule follows):

Not currently.  But plans are to extend Lua support to be able to do
this without compiled code.

> *# Parse requests with Content-Type "text/plain" as URLENCODED*
> 
> *SecRule REQUEST_CONTENT_TYPE ^text/plain
> nolog,pass,ctl:requestBodyProcessor=URLENCODED*

How does that "extend" available type?  You just want to parse that
particular type as URLENCODED?  Then that should work provided you do it
in phase:1.

> Finally, could the solution require something as involved as writing a
> custom Apache module defining a custom type of REQUESTBODY_PROCESSOR as
> an �operator� extension?
> 
>  
> 
> I am ultimately trying to use mod_security to parse GWT-RPC form data to
> leverage existing core and custom rules.

The problem is that CRS will not specify the custom target, operator or
transformation no matter what you do.

> Any explicit guidance on this would be considered helpful.

Probably easiest to extend this as a target that produces a custom
collection (similar to how ARGS are produced now).  Then your rules
could just be:

SecRule GWTRPC:fieldname ...

But this does not solve the CRS issue as CRS will not be looking at GWTRPC.

Best, would be to patch ModSecurity to add a new request body processor.
 This would parse into ARGS and work with CRS existing rules, etc.
Currently this is not available as an extension, but it should be.
Perhaps a 2.6 feature to add (probably not that hard to add it) so that
you can write new body parsers.

If you are serious about adding GWT-RPC support, then I can work with
you on it and get the proper hooks into the 2.6 branch.  It would be an
interesting addition to ModSecurity (even if only a custom extension for
now).

-B

-- 
Brian Rectanus
Breach Security