I'd like to deny by POST & REQUEST_BODY string condition in mod_security(ModSecurity). But It is failed in "multipart/form-data". Please help me...
Details
POST & "x-www-form-urlencoded" is not problem.(denied)
Of course, "SecRequestBodyAccess" is activated in conf.
Example rule.
SecRule REQUEST_BODY "server" "id:1234,phase:2,t:none,deny"
> The above sample excludes POST conditions.
- Debug log ("multipart/form-data")
??????? Multipart: Added part header "Content-Disposition" "form-data; name=\"server\""
~~~
??????? Adding request argument (BODY): name "server", value "sample"
~~~
Starting phase REQUEST_BODY.
~~~
??????? SecRule REQUEST_BODY "@rx server" "id:1234,phase:2,t:none,deny"
??????? Rule returned 0. ---- Not found.
mod_security version: version 2 series.
I tried other many tests. But I have no idea.
CodePudding user response:
Even if this is a ModSecurity question and not an OWASP CRS question, I try to answer and help as CRS dev-on-duty: It is known that in ModSecurity the REQUEST_BODY
variable
is available only if the URLENCODED request body processor was used, which will occur by default when the application/x-www-form-urlencoded content type is detected.
See here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#request_body
So your solution to test for ARGS
instead of REQUEST_BODY
is a good solution.