Proposal to enforce requestBodyProcessor=URLENCODED via recommended rules

[dune73]

The bypass is obvious. An attacker omits the content-type header, ModSec does not know which request body processor to use, the attack goes undetected, the backend makes a guess what to do with the request body and bingo.

The upcoming CRS 3.1 includes an optional rule to enforce URLENCODED when no body processor is set:

# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
    "id:901350,\
    phase:1,\
    pass,\
    t:none,t:urlDecodeUni,\
    nolog,\
    noauditlog,\
    msg:'Enabling forced body inspection for ASCII content',\
    rev:'1',\
    ver:'OWASP_CRS/3.1.0',\
    chain"
    SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"

However, this brings a behaviour change of the engine. And we would rather avoid that with CRS. Ideally this would be part of the recommended rules. It does not matter too much to us if it is enable by default or optional. But it would be helpful if we could refer to this rule in our documentation.