[Owasp-modsecurity-core-rule-set] ARGS working against PUT?

Brian Davis (bridavis) bridavis at cisco.com
Sat Mar 5 22:44:52 UTC 2016

We're testing ModSecurity against some easy XSS tests. We have a PUT REST Call in which we embed <script>alert(document.cookie)</script> into a text dialog box, which should be easily picked up by RuleID:973336, but for some reason it's not. debug_cache log says no match.

Does ARGS work on PUTs in addition to POST? Reference documentation only seems to mention POST.

Additionally, I tried to use the FULL_REQUEST target to see if that would help, but I'm getting an error: Error creating rule: Unknown variable: FULL_REQUEST, but SecRequestBodyAccess On is in mod_security.conf.

This seems to be a very simple test in which mod_security should catch this, but not such luck.

Any thoughts?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160305/86671a7c/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list