0

在 mod security 中检测并启动请求正文使用的操作SecRule REQUEST_BODYhttps ://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BODY但是当尝试解析 XML 正文中的 Soap 操作缓冲区时无法处理它。

保存原始请求正文。此变量仅在使用 URLENCODED 请求正文处理器时可用,默认情况下将在检测到 application/x-www-form-urlencoded 内容类型时发生,或者如果强制使用 URLENCODED 请求正文解析器。

我试试这个:

SecRuleEngine on
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_BODY "<password>\w{0,5}<\/password>" "id:77777771,log,deny,msg:'Week password'"

在后缓冲区中:

POST / HTTP/1.1
...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Content-Length: 200

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:authenticate xmlns:tns="http://.../">
      <password>abc</password>
      ...

如何检测 SOAP 数据的响应体并拒绝匹配 expreg 值?

4

1 回答 1

0

我在https://serverfault.com/questions/727596/mod-security-how-to-process-text-xml-request-body找到了一个解决方案

SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,nolog,pass,ctl:requestBodyProcessor=URLENCODED,id:12345"
SecRule REQUEST_BODY "<password.*?>.{0,6}?</password>" "phase:2,t:none,deny,msg:'Very short password',status:403,auditlog,id:67890"
于 2016-08-02T03:39:41.630 回答