Mod安全 - 请求正文xml

在mod安全检测并启动请求主体使用的动作SecRule REQUEST_BODY：https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BODY但尝试解析Soap动作的缓冲区在XML身体canot处理它。Mod安全 - 请求正文xml

保留原始请求正文。仅当使用URLENCODED请求正文处理程序时，此变量才可用，当检测到application/x-www-form-urlencoded内容类型时，或者强制使用URLENCODED请求正文解析程序时，该变量将默认发生。

我试试这个：

SecRuleEngine on 
SecRequestBodyAccess On 
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" 
SecRule REQUEST_BODY "<password>\w{0,5}<\/password>" "id:77777771,log,deny,msg:'Week password'"

而且在发布缓存：

POST/HTTP/1.1 
... 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Content-Type: text/xml; charset=utf-8 
SOAPAction: "" 
Content-Length: 200 

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
    <SOAP-ENV:Body> 
    <tns:authenticate xmlns:tns="http://.../"> 
     <password>abc</password> 
     ...

如何检测SOAP数据的响应主体和否定匹配expreg价值？

来源

2016-08-02 e-info128

我发现了一个soluition在https://serverfault.com/questions/727596/mod-security-how-to-process-text-xml-request-body

SecRequestBodyAccess On 
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,nolog,pass,ctl:requestBodyProcessor=URLENCODED,id:12345" 
SecRule REQUEST_BODY "<password.*?>.{0,6}?</password>" "phase:2,t:none,deny,msg:'Very short password',status:403,auditlog,id:67890"

来源

2016-08-02 03:39:41

Mod安全 - 请求正文xml

回答

相关问题