1 Oct 16:07
Re: SeRule ARGS:
Ryan Barnett <Ryan.Barnett <at> Breach.com>
2007-10-01 14:07:45 GMT
2007-10-01 14:07:45 GMT
> -----Original Message----- > From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod- > security-users-bounces <at> lists.sourceforge.net] On Behalf Of Achim Hoffmann > Sent: Monday, October 01, 2007 9:19 AM > To: mod-security-users <at> lists.sourceforge.net > Subject: [mod-security-users] SeRule ARGS: > > how do we destinguish GET from POST variables in > SecRule ARGS:dirty getme > SecRule ATGS:dirty postme > > (assuming that dirty is in the QUERY_STRING *and* the HTTP body) > [Ryan Barnett] Yeah, this is a bit quirky to try and enforce these ARGS to be only in either a QUERY_STRING or POST_PAYLOAD. You essentially have to check both locations. This is how REMO rules accomplish this issue. If you want to enforce only allowing the "dirty" argument to be allowed in the POST payload, then you can use a rule similar to this - <Location /cgi-bin/foo.php> SecRule QUERY_STRING "^dirty[=&]|^dirty$" "phase:2,t:none,deny,id:1,status:501,severity:3,msg:'Postparameter dirty is present in query string. This is illegal.'" SecRule ARGS:dirty "^postme$" "phase:2,t:none,deny,id:1,status:501,severity:3,msg:'Postparameter dirty matched.'" </Location> Conversely, if you want to only allow the "dirty" argument to be allowed within the QUERY_STRING, you can use this - <Location /cgi-bin/foo.php> # Checking querystringparameter "dirty" SecRule REQUEST_BODY "^dirty[=&]|^dirty$" "phase:2,t:none,deny,id:1,status:501,severity:3,msg:'Querystringparamete r dirty is present in post payload. This is illegal.'" SecRule ARGS:dirty "^getme$" "phase:2,t:none,deny,id:1,status:501,severity:3,msg:'Querystringparamete r dirty matched.'" </Location> > Am I correct that POSTed dirty variable is not available in phase:2, but > GETed > is? > [Ryan Barnett] ARGS in the QUERY_STRING data are available in both phase:1 and phase:2, while ARGS in the REQUEST_BODY are only available in phase:2. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
RSS Feed