0
在mod安全检测并启动请求主体使用的动作SecRule REQUEST_BODY
:https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BODY但尝试解析Soap动作的缓冲区在XML身体canot处理它。Mod安全 - 请求正文xml
保留原始请求正文。仅当使用URLENCODED请求正文处理程序时,此变量才可用,当检测到application/x-www-form-urlencoded内容类型时,或者强制使用URLENCODED请求正文解析程序时,该变量将默认发生。
我试试这个:
SecRuleEngine on
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_BODY "<password>\w{0,5}<\/password>" "id:77777771,log,deny,msg:'Week password'"
而且在发布缓存:
POST/HTTP/1.1
...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Content-Length: 200
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<tns:authenticate xmlns:tns="http://.../">
<password>abc</password>
...
如何检测SOAP数据的响应主体和否定匹配expreg价值?