ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

Sanitize XML (same as #360 and #587)

Open touchweb-vincent opened this issue 2 years ago • 1 comments

Hello,

First, thanks you for all you did and do. ModSecurity is a great project.

Like https://github.com/SpiderLabs/ModSecurity/issues/360 and https://github.com/SpiderLabs/ModSecurity/issues/587, we need to sanitize XML content.

After hours of searches and tries, it's a fail. So here i am to grag some help if there is a solution - or a workarround - we can pay for it if needed.

We use native version of ModSecurity for Debian, so 2.9.3 on Buster and Bullseye.

This (xmlrpc.php for Wordpress) :

--90fbbb2d-C--
<?xml version="1.0"?><methodCall><methodName>wp.getOptions</methodName><params><param><value><i4>0</i4></value></param><param><value><string>root</string></value></param><param><value><string>my-password</string></value></param></params></methodCall>
--90fbbb2d-F--

Should be sanitized like this :

--90fbbb2d-C--
<?xml version="1.0"?><methodCall><methodName>wp.getOptions</methodName><params><param><value><i4>0</i4></value></param><param><value><string>root</string></value></param><param><value><string>***********</string></value></param></params></methodCall>
--90fbbb2d-F--

To iterate your tests : curl -X POST -H 'Content-Type: text/xml' -d '<?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string>my-password</string></value></param></params></methodCall>' https://your-link

It concerns as well SOAP transactions.

Here is some tries we did (and fails) :

SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'2100002',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

#SecRule XML:/string/text() "^(.)$" "id:1280007,phase:5,nolog,pass,sanitiseMatched" #SecRule XML:string/text() "^(.)$" "id:1280008,phase:5,nolog,pass,sanitiseMatched" #SecRule XML:string/text() "^(.)$" "id:1280009,phase:5,nolog,pass,sanitiseMatched" #SecRule XML:string/ "^(.)$" "id:1280010,phase:5,nolog,pass,sanitiseMatched" #SecRule XML:string "^(.*)$" "id:1280011,phase:5,nolog,pass,sanitiseMatched"

Thanks you for your time.

Kind regards,

Vincent

touchweb-vincent avatar Aug 03 '22 07:08 touchweb-vincent

Hello @touchweb-vincent ,

The sanitization support for part C audit log output in ModSecurity v2 does not support dealing with XML request bodies.

One option for you is to remove the part C output from the audit log for cases where you think there may be sensitive content (ctl:auditLogParts=-C).

I did pass on your offer ("we can pay for it if needed") and I was told that payment-for-expedited implementation is not really something that we do.

martinhsv avatar Aug 15 '22 19:08 martinhsv