Closed syinwu closed 2 years ago
Now, in the coraza, if we have the below rule like this:
SecRule ARGS:Test1 "123" "id:3,phase:1,log,deny"
And, if we have the below request like this:
GET /test?Test1=123 HTTP/1.1 Host: localhost:8000 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/json
The rule will not deny this request, because coraza's rule compilation is case-insensitive. It covers Test1 in the rule into test1 and stores it in coraza. If the request parameter name is capitalized, it will cause false negatives.
So, how should we deal with this situation?
should we handle all GET and POST arguments as lowercase?
Are we still having this issue?
This issue is stale because it has been open for 30 days with no activity.
Now, in the coraza, if we have the below rule like this:
And, if we have the below request like this:
The rule will not deny this request, because coraza's rule compilation is case-insensitive. It covers Test1 in the rule into test1 and stores it in coraza. If the request parameter name is capitalized, it will cause false negatives.
So, how should we deal with this situation?