0
在mod安全檢測並啓動請求主體使用的動作SecRule REQUEST_BODY
:https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_BODY但嘗試解析Soap動作的緩衝區在XML身體canot處理它。Mod安全 - 請求正文xml
保留原始請求正文。僅當使用URLENCODED請求正文處理程序時,此變量纔可用,當檢測到application/x-www-form-urlencoded內容類型時,或者強制使用URLENCODED請求正文解析程序時,該變量將默認發生。
我試試這個:
SecRuleEngine on
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_BODY "<password>\w{0,5}<\/password>" "id:77777771,log,deny,msg:'Week password'"
而且在發佈緩存:
POST/HTTP/1.1
...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Content-Length: 200
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<tns:authenticate xmlns:tns="http://.../">
<password>abc</password>
...
如何檢測SOAP數據的響應主體和否定匹配expreg價值?