[Owasp-modsecurity-core-rule-set] ARGS working against PUT?

Walter Hop modsec at spam.lifeforms.nl
Sun Mar 6 05:27:29 UTC 2016


ARGS should be working on PUT. I wasn’t able to reproduce this problem myself. Would it be possible for you to post the request headers to the mailinglist?

I’m thinking maybe the client is not sending a "Content-Type: application/x-www-form-urlencoded” header, so ModSecurity might not be parsing the request body for arguments. But this is just a guess.

Cheers!
WH

> On 05 Mar 2016, at 23:44, Brian Davis (bridavis) <bridavis at cisco.com> wrote:
> 
> We’re testing ModSecurity against some easy XSS tests. We have a PUT REST Call in which we embed <script>alert(document.cookie)</script> into a text dialog box, which should be easily picked up by RuleID:973336, but for some reason it’s not. debug_cache log says no match.
> 
> Does ARGS work on PUTs in addition to POST? Reference documentation only seems to mention POST.
> 
> Additionally, I tried to use the FULL_REQUEST target to see if that would help, but I’m getting an error: Error creating rule: Unknown variable: FULL_REQUEST, but SecRequestBodyAccess On is in mod_security.conf.
> 
> This seems to be a very simple test in which mod_security should catch this, but not such luck.
> 
> Any thoughts?
> 
> Thanks,
> Brian
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160306/5a5c5160/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list