Closed jeremyjpj0916 closed 4 years ago
As noted by airween, ways to whitelist this issue:
SecRule REQUEST_URI "@rx /api/.*/pdr/clm/prices/.*" \
"id:9XXXXX1,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=94130;XML:/*"
OR
SecRule REQUEST_URI "@rx /api/.*/pdr/clm/prices/.*" \
"id:9XXXXX1,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveById=94130"
Description
application/xml
payload gets blocked:https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf#L126
I don't necessarily think there will be a "fix" in this mother of all regex'es perhaps. I suppose next steps are how to whitelist certain URI paths to drop this check on XML payloads. Would really like it if I can regex in the URI(*) and the check to exclude on a rule, something maybe like:
That could say for any environment (alpha/bravo/charlie/stage) etc in the URI path match on, and then remove the XML check for everything for that rule. Possible?
Audit Logs / Triggered Rule Numbers
Something like:
941130
Your Environment