Could not use equal sign in xpath expression

[dennus]

E.g.:

SecRule XML://tag1/*[local-name()='some-tag']
"@pm ..\ ../"
"phase:request,
msg:'Path Traversal Attack (/../)',
id:77113,
ver:'OWASP_CRS/3.0.0',
rev:'1',
maturity:'9',
accuracy:'7',
multiMatch,
t:base64Decode,
block,
severity:CRITICAL,
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',
capture,
tag:'application-multi',
tag:'language-multi',
tag:'platform-multi',
tag:'attack-lfi',
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',
setvar:'tx.msg=%{rule.msg}',
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
setvar:tx.lfi_score=+%{tx.critical_anomaly_score},
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

Error occured when nginx start:
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /var/rules/rules.conf. Line: 1. Column: 48. Expecting a variable, got: : ='some-$

[zimmerle]

Hi @dennus,

Do you mind to inform us more details of your ModSecurity? What is the version that you are working with?

[dennus]

Hello, I'm using Modsecurity v. 3.0.3

[airween]

I think this is a similar issue:

SecRule ARGS:/^=/ "@rx foo" ...

The error message:

... Expecting a variable, got:  :  =/ ...

so I will not open any new issue.

[martinhsv]

These are similar issues, but the workaround situation is different.

@airween ,

For your case, a reliable workaround should be to use a character class:

SecRule ARGS:/^[=]/ "@rx foo" ...

@dennus ,

For XPATH, in a recent case that I encountered, using contains() instead of an equality operator proved a reasonable substitute. This may not be sufficient in all cases, however.

[airween]

For your case, a reliable workaround should be to use a character class:

SecRule ARGS:/^[=]/ "@rx foo" ...

thanks