Question

在用于检测的mod安全性中，为请求体使用SecRule REQUEST_BODY启动一个动作：https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BODY但是当尝试解析XML体内的Soap动作缓冲区时，它会处理它。

保留原始请求正文。仅当使用URLENCODED请求正文处理器时才会使用此变量，默认情况下，当检测到application / x-www-form-urlencoded内容类型时，或者强制使用URLENCODED请求正文解析器时，此变量将出现。

我试试这个：

SecRuleEngine on
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_BODY "<password>\w{0,5}<\/password>" "id:77777771,log,deny,msg:'Week password'"

在后缓冲区中：

POST / HTTP/1.1
...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Content-Length: 200

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:authenticate xmlns:tns="http://.../">
      <password>abc</password>
      ...

如何检测SOAP数据的响应体并拒绝匹配expreg值？

Answer 1

我在https://serverfault.com/questions/727596/mod-security-how-to-process-text-xml-request-body

中找到了一个解决方案

SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,nolog,pass,ctl:requestBodyProcessor=URLENCODED,id:12345"
SecRule REQUEST_BODY "<password.*?>.{0,6}?</password>" "phase:2,t:none,deny,msg:'Very short password',status:403,auditlog,id:67890"

Mod Security - 使用xml请求正文

1 个答案: