Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API protection #313

Open
LGMAM opened this issue Nov 28, 2018 · 1 comment
Open

API protection #313

LGMAM opened this issue Nov 28, 2018 · 1 comment
Labels
question

Comments

@LGMAM
Copy link

LGMAM commented Nov 28, 2018

Hello,

Newbie here.

I have just installed this package to protect a SOAP API gateway. I am just loading the default rules and if I send a SOAP request with obvious XSS content, the request is progressing to the upstream without being blocked.

<item GUID="a=&quot;get&quot;;b=&quot;URL(\&quot;&quot;;c=&quot;javascript:&quot;;d=&quot;alert('XSS');\&quot;)&quot;;eval(a+b+c+d);"/>

After a quick review of the rules in 42000_xss.json, it seems to me that some rules should block this request, unless the REQUEST_ARGS collection does not contain the request body, as per the comment in request.lua

-- return a single table from multiple tables containing request data -- note that collections that are not a table (e.g. REQUEST_BODY with -- a non application/x-www-form-urlencoded content type) are ignored

Am I missing something ? Should I just write some custom rules for this ?

Thanks !
Luis
@p0pr0ck5
Copy link
Owner

Hi,

Yes, likely you would need some custom rules. One thing to note is that ModSecurity DSL's (and thus, this project's) coverage of nested XML is not well supported, so this may be challenging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LGMAM @p0pr0ck5