ModSecurity-apache icon indicating copy to clipboard operation
ModSecurity-apache copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

ModSecurity SecRequestBodyAccess Off still process the POST request

Open akefallonitis opened this issue 5 years ago • 0 comments
trafficstars

Even with REQUEST_BODY disabled ModSecurity starts phase 2 to check POST Data

[159835978570.134615] [xxxxx] [4] (Rule: 5040) Executing operator "Rx" with param "^/.+/(xx)?xxx/|^/.+/xxx/|^/.+/xml/" against REQUEST_FILENAME.
[159835978570.134615] [xxxxx] [4] Rule returned 1.
[159835978570.134615] [xxxxx] [4] Running (disruptive)     action: allow.
[159835978570.134615] [xxxxx] [4] Dropping the evaluation of upcoming rules in favor of an `allow' action of type: FromNowOn
[159835978570.134615] [xxxxx] [4] Starting phase REQUEST_BODY. (SecRules 2)
[159835978570.134615] [xxxxx] [4] Request body processing is disabled
[159835978570.134615] [xxxxx] [4] Starting phase REQUEST_BODY. (SecRules 2)

Even when explicit exclude the request (rule 5040 whitelisting) it keeps starting and checking REQUEST_BODY as shown in the above debug_log

akefallonitis avatar Aug 25 '20 12:08 akefallonitis