Ensure that all rules with ARGS also consider XML:*

[CRS-migration-bot]

Issue originally created by user csanders-git on date 2018-11-05 19:47:02.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1227.

Type of Issue

Feature Request

Description

In general we'll like to have XML considered for all rules, where it is evaluated. This can be done by adding the TARGET of XML:* to the rules. But we need to be careful to ensure only the rules that need it, get it. Starting with rules that have ARGS, is a good start

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

[CRS-migration-bot]

User spartantri commented on date 2018-11-05 19:56:33:

I think that XML:/* would be the equivalent for XML to ARGS in URLENCODED, so it makes sense to have them together by default

[CRS-migration-bot]

User danehrlich1 commented on date 2019-01-22 23:30:28:

Taking this issue. I think I understand it, and if that's the case, I'll have it done in two weeks...testing for a cert this weekend or would have it all sooner :)

[CRS-migration-bot]

User dune73 commented on date 2019-01-23 20:59:03:

Looking forward to that! Thanks.

[CRS-migration-bot]

User danehrlich1 commented on date 2019-02-12 03:26:54:

Does someone have an example of what this rule would look like? The only way I can see to specifically target XML coming in is to check the Headers. E.g.:

SecRule REQUEST_HEADERS:Content-Type ^text/xml ?

or maybe

SecRule ARGS|XML:/* blahblahblah id:2000 ?

I actually don't see a mention of XML:/* anywhere in the documentation I'm looking at, although it is for 2.9.

[CRS-migration-bot]

User danehrlich1 commented on date 2019-02-12 03:29:02:

dune73 Just look at this comment:

Actually, I think this is the answer.

Anything that has the word ARGS after SecRule should, if it doesn't right now, have |XML:/* appended to it?

E.g. like the following rule:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \

[CRS-migration-bot]

User dune73 commented on date 2019-02-12 16:10:17:

Could you guys please support danehrlich1? I'm overly busy at the moment.

[CRS-migration-bot]

User danehrlich1 commented on date 2019-02-15 00:56:49:

spartantri Can you look at my comment really quickly? Think I am correct but just want someone to double check.

[CRS-migration-bot]

User spartantri commented on date 2019-02-15 14:44:15:

Hi danehrlich1 it may be better to discuss this in slack, but basically, this one is to add XML:/* to all SecRule's that have ARGS as targets of the rule.
You may find all targets with running the command below on the rule set directory:
egrep -o "SecRule ([^\s])ARGS([^\s]) " *|grep -v "XML:"
You may find rules that do check both ARGS and XML removing the -v from the previous command:
egrep -o "SecRule ([^\s])ARGS([^\s]) " *|grep "XML:"

[CRS-migration-bot]

User fzipi commented on date 2019-10-05 12:35:30:

danehrlich1 Did you made any progress with this? Do you need more help/advise?

[CRS-migration-bot]

User github-actions[bot] commented on date 2020-02-03 00:01:26:

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

[CRS-migration-bot]

User dune73 commented on date 2020-02-11 13:51:53:

lifeforms volunteered to fix this issue during the monthly CRS chat.

Meeting minutes: SpiderLabs/owasp-modsecurity-crs#1671 (comment)

[CRS-migration-bot]

User dune73 commented on date 2020-03-02 15:07:23:

lifeforms: Any update here?