[Owasp-modsecurity-core-rule-set] XML Parsing Question
jai.harpalani at mulesoft.com
Mon May 14 20:38:50 UTC 2018
Yes, your answer definitely helps. Some follow-up questions:
1 - When you say ARGS contains the "extracted contents" of the body, is
this equivalent to the entire body. If not, what exactly are the "extracted
2 - If my content is XML and I have disabled the XML parser, will ARGS or
XML:/* contain anything?
3 - If my content is JSON and I have disabled the JSON parser, will ARGS
4 - Is there a JSON-equivalent to XML:/*?
On Mon, May 14, 2018 at 12:30 PM, Chaim Sanders <chaim at chaimsanders.com>
> Hey Jai,
> Great question, let me answer (FD) as best I can without looking at the
> underlying code.
> The pipe ('|') indicates that all of these collections should be searched
> independently. The XML collection is only filled when the XML
> requestbodyprocessor is enabled, currently this is done by default when the
> content-type matches (https://github.com/ivanr/MadSecurity/blob/master/
> modsecurity.conf-recommended#L22). In this case as I said, ARGS and
> ARGS_NAMES are also independently evaluated. The ARGS processor will
> contain the extracted contents of the body when x-www-form-urlencoded is
> used. Of course there are some cases where you may send other types (JSON
> for instance). However, reviewing the whole body would cause unneeded false
> positives typically. Let me know if that helps or if you have more concerns
> On Mon, May 14, 2018 at 12:39 PM Jai Harpalani <jai.harpalani at mulesoft.com>
>> Rules which include "XML:/*" are not evaluated against request bodies if
>> the bodies are not XML. Is this a deficiency? In the example below,
>> shouldn't the pattern be searched for in text bodies as well as XML bodies?
>> Is there a reason the search is limited to XML bodies?
>> SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|
>> "msg:'HTTP Request Smuggling Attack',\
>> . . .
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
> Chaim Sanders
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set