apache - Using Regular Expression in updating an argument in Mod Security Core Ruleset OWASP -
i ran problem rule 981173
[msg "restricted sql character anomaly detection alert - total]
sending youtube ids database. ids has special characters -
, guess reason warning raised
i have been trying exclude $_post
key video[391][]
rule, 391
product id , it's not fix key. can video[500][]
or alike.
i have tried
secruleupdatetargetbyid 981173 !args:video[*][]
but isn't working. idea on how excluding dynamic $_post
key rule?
message: access denied code 403 (phase 2). pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" @ args_names:video[391][]. [file "/etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "restricted sql character anomaly detection alert - total # of special characters exceeded"] [data "matched data: ] found within args_names:video[391][]: video[391][]"] [ver "owasp_crs/2.2.9"] [maturity "9"] [accuracy "8"] [tag "owasp_crs/web_attack/sql_injection"]
i think should be:
secruleupdatetargetbyid 981173 "!args_names:/^video\[.*\]\[\]/"
or if numeric ids this:
secruleupdatetargetbyid 981173 "!args_names:/^video\[[0-9]*\]\[\]/"
see regular expression example here: https://github.com/spiderlabs/modsecurity/wiki/reference-manual#secruleupdatetargetbyid
Comments
Post a Comment