-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SanitiseArg does not work in RequestBody #3089
Comments
Hi @Seppl2202, thanks for reporting. First of all I tried your
But I see in my log many other rules too, eg:
Note that I'm using CRS 4.0.0 (rc2), but I think the point is that I use that on PL4, therefore there are 2 rules which checks the Could you check your instance with a higher PL? Also: @dune73 could you take a look at this? |
This sanitization stuff is so brittle. I do not know why it does not work for @Seppl2202, but I would not rule out the status 404 being the reason. Try to reproduce with a 200. |
Just FYI: I also got 404. |
I tried both with response
and
So @Seppl2202 could you check with higher PL? |
Thanks for your tests, I will try to use CRS4 today or tomorrow |
SanitiseArg does not work in RequestBody
This time without messed up markdown :)
Taken right from the docs: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#user-content-sanitiseArg
I want to sanitiese two password fields in a POST body, but the Rule is not working. I am on Ubuntu 22.04.03 LTS for testing and Apache 2.4.52
I have defined five rules (for each phase for testing, although only phase 2 should be relevant) in my custom rules:. see the waf_adaption attachment:
SecAction "auditlog,phase:2,id:131,sanitiseArg:password1,sanitiseArg:password2"
Logs and dumps
Output of:
See the attached files, also the modsecurity configuration
To Reproduce
Steps to reproduce the behavior:
curl 'http://localhost/test' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-User: ?1' -H 'Origin: http://localhost' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data-raw $'password1=xyz&password2=test&inj=1\' or 1=1;--'
Expected behavior
I would expect that password1 and password2 are sanitised in the audit log, when appearing in the request body.
Server (please complete the following information):
Rule Set (please complete the following information):
I added the configuration and log files as an attachmen
Add any other context about the problem here.
modsec_debug.log
modsec_audit.log
modsecurity.txt
security2.txt
waf_adaption.txt
The text was updated successfully, but these errors were encountered: