API protection
LGMAM opened this issue · 1 comments
Hello,
Newbie here.
I have just installed this package to protect a SOAP API gateway. I am just loading the default rules and if I send a SOAP request with obvious XSS content, the request is progressing to the upstream without being blocked.
<item GUID="a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);"/>
After a quick review of the rules in 42000_xss.json
, it seems to me that some rules should block this request, unless the REQUEST_ARGS
collection does not contain the request body, as per the comment in request.lua
-- return a single table from multiple tables containing request data -- note that collections that are not a table (e.g. REQUEST_BODY with -- a non application/x-www-form-urlencoded content type) are ignored
Am I missing something ? Should I just write some custom rules for this ?
Thanks !
Luis
Hi,
Yes, likely you would need some custom rules. One thing to note is that ModSecurity DSL's (and thus, this project's) coverage of nested XML is not well supported, so this may be challenging.