Santization issues when using part H

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

8.17k stars 1.6k forks source link

Santization issues when using part H #535

Open rcbarnett-zz opened 11 years ago

rcbarnett-zz commented 11 years ago

MODSEC-387: At one point there was another issue for this that was closed, but I can't view it anymore to find the details. The issue is that H is so much less noisy than K, and we would like to be able to use that option. The problem is that the sanitization doesn't properly run, and sensitive data ends up in the log files that we can't have there. I know that it works with K, but it would be really really nice to be able to use the H option to reduce noise.

rcbarnett-zz commented 11 years ago

Original reporter: abedra

fggillie commented 3 years ago

Hello,

Is there any estimation on until when sanitising of part H will be implemented? For the moment all we can do to avoid sensitive data ending up in the logs is to remove part H when those attributes are present. Would be really nice to still have it :)

Thanks for all you are doing here!