API protection

[LGMAM]

Hello,

Newbie here.

I have just installed this package to protect a SOAP API gateway. I am just loading the default rules and if I send a SOAP request with obvious XSS content, the request is progressing to the upstream without being blocked.

<item GUID="a=&quot;get&quot;;b=&quot;URL(\&quot;&quot;;c=&quot;javascript:&quot;;d=&quot;alert('XSS');\&quot;)&quot;;eval(a+b+c+d);"/>

After a quick review of the rules in 42000_xss.json, it seems to me that some rules should block this request, unless the REQUEST_ARGS collection does not contain the request body, as per the comment in request.lua

-- return a single table from multiple tables containing request data -- note that collections that are not a table (e.g. REQUEST_BODY with -- a non application/x-www-form-urlencoded content type) are ignored

Am I missing something ? Should I just write some custom rules for this ?

Thanks !
Luis

[p0pr0ck5]

Hi,

Yes, likely you would need some custom rules. One thing to note is that ModSecurity DSL's (and thus, this project's) coverage of nested XML is not well supported, so this may be challenging.