Modsecurity sees the HTTP "INVALID" method instead of "PATCH"

[KernelPan1k]

Hello,

I installed modsecurity 2 on IIS 10 in reverse-proxy with the OWASP csr.

For the moment, the WAF works in DetectionOnly and therefore does not block anything. I authorized in the csr-setup.conf the HTTP PATCH method, but I see that when the PATCH method is used, it is blocked by Modsecurity because PATCH is replaced by INVALID, but the application works correctly, because IIS is authorized to use PATCH and in the IIS logs, it is well written PATCH. I don't understand why Modsecurity receives INVALID.

Could you please help me?

have a nice day

KP

[martinhsv]

Hello @KernelPan1k ,

It looks like 'PATCH' is simply not supported as a method in the IIS code for ModSecurity:

https://github.com/SpiderLabs/ModSecurity/blob/199cf5da9172fe98e705237a296d633f115677c0/iis/mymodule.cpp#L947

[KernelPan1k]

Hello,

thank you for your answer, the solution chosen for the moment is to identify the endpoints working with PATCH and to authorize the INVALID method for these endpoints only, I don't like that very much. Maybe you have another suggestion?

In any case I thank you for your answer and have a nice day.

[martinhsv]

Hi @KernelPan1k ,

I understand your discomfort; it is not exactly an ideal solution.

However, under the circumstances, I think your workaround is probably reasonable and I cannot think of a better one short of a code update.

I think you're wise, though, to limit that permissiveness to only the endpoints where it is required.