Home > database >  In mod_security, POST & "multipart/form-data" is not working
In mod_security, POST & "multipart/form-data" is not working

Time:06-05

I'd like to deny by POST & REQUEST_BODY string condition in mod_security(ModSecurity). But It is failed in "multipart/form-data". Please help me...

Details

  • POST & "x-www-form-urlencoded" is not problem.(denied)

  • Of course, "SecRequestBodyAccess" is activated in conf.

  • Example rule.

SecRule REQUEST_BODY "server" "id:1234,phase:2,t:none,deny"

> The above sample excludes POST conditions.
  • Debug log ("multipart/form-data")
??????? Multipart: Added part header "Content-Disposition" "form-data; name=\"server\""
~~~
??????? Adding request argument (BODY): name "server", value "sample"
~~~
Starting phase REQUEST_BODY.

~~~
??????? SecRule REQUEST_BODY "@rx server" "id:1234,phase:2,t:none,deny"
??????? Rule returned 0. ---- Not found.
  • mod_security version: version 2 series.

  • I tried other many tests. But I have no idea.

CodePudding user response:

Even if this is a ModSecurity question and not an OWASP CRS question, I try to answer and help as CRS dev-on-duty: It is known that in ModSecurity the REQUEST_BODY variable

is available only if the URLENCODED request body processor was used, which will occur by default when the application/x-www-form-urlencoded content type is detected.

See here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#request_body

So your solution to test for ARGS instead of REQUEST_BODY is a good solution.

  • Related