[Owasp-modsecurity-core-rule-set] XML Parsing Question

Jai Harpalani jai.harpalani at mulesoft.com
Mon May 14 20:38:50 UTC 2018


Chaim,

Yes, your answer definitely helps. Some follow-up questions:

 1 - When you say ARGS contains the "extracted contents" of the body, is
this equivalent to the entire body. If not, what exactly are the "extracted
contents"?
 2 - If my content is XML and I have disabled the XML parser, will ARGS or
XML:/* contain anything?
 3 - If my content is JSON and I have disabled the JSON parser, will ARGS
contain anything?
 4 - Is there a JSON-equivalent to XML:/*?

Thanks,
Jai

On Mon, May 14, 2018 at 12:30 PM, Chaim Sanders <chaim at chaimsanders.com>
wrote:

> Hey Jai,
> Great question, let me answer (FD) as best I can without looking at the
> underlying code.
> The pipe ('|') indicates that all of these collections should be searched
> independently. The XML collection is only filled when the XML
> requestbodyprocessor is enabled, currently this is done by default when the
> content-type matches (https://github.com/ivanr/MadSecurity/blob/master/
> modsecurity.conf-recommended#L22). In this case as I said, ARGS and
> ARGS_NAMES are also independently evaluated. The ARGS processor will
> contain the extracted contents of the body when x-www-form-urlencoded is
> used. Of course there are some cases where you may send other types (JSON
> for instance). However, reviewing the whole body would cause unneeded false
> positives typically. Let me know if that helps or if you have more concerns
> :)
>
> On Mon, May 14, 2018 at 12:39 PM Jai Harpalani <jai.harpalani at mulesoft.com>
> wrote:
>
>> Rules which include "XML:/*" are not evaluated against request bodies if
>> the bodies are not XML. Is this a deficiency? In the example below,
>> shouldn't the pattern be searched for in text bodies as well as XML bodies?
>> Is there a reason the search is limited to XML bodies?
>>
>> SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|
>> connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+"
>> \
>>     "msg:'HTTP Request Smuggling Attack',\
>>     phase:request,\
>>     id:921110,\
>>     rev:'1',\
>>      . . .
>>
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
>
>
> --
> --
> Chaim Sanders
> http://www.ChaimSanders.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20180514/9c6436fb/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list