mod_security - How to process text/xml request_body

Question

I'm trying to process REQUEST_BODY of web request, which has Content-Type: text/xml and some XML inside it. Let say I have the following request:

curl -v -d
"
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
    <value>
      <struct>
        <member>
          <name>SomeName</name>
          <value>SomeValue</value>
        </member>
      </struct>
    </value>
</methodResponse>
"
-H "Content-Type:text/xml" http://gryzli.info/some_url.php

What I need is to be able to match the REQUEST_BODY against "SomeName" or "SomeValue" as plain text string.

I have already tried the following things:

1. Trying to match on phase 2, with following keywords:

SecRule REQUEST_BODY "SomeValue" "phase:2, ....."  - No success

SecRule FULL_REQUEST "SomeValue" "phase:2, ....."  - No success

SecRule ARGS         "SomeValue" "phase:2, ....."  - No success

2. In addition to the rules above, I tried to activate these rules in different combinations:

SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,id:100000,t:lowercase,nolog,pass, ctl:requestBodyProcessor=MULTIPART"

OR

SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,id:100000,t:lowercase,nolog,pass, ctl:requestBodyProcessor=URLENCODED"

OR

SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,id:100000,t:lowercase,nolog,pass, ctl:forceRequestBodyVariable=On"

Again - without success.

The real question:

Does anybody know how to match a simple plain text string inside REQUEST_BODY when my client request is of Content-Type: text/xml ?

Also I prefer to NOT use the XML engine, which can parse my XML, because I expect large performance penalty of doing this.

score 2 · Accepted Answer · answered Oct 13 '15 at 11:31

Finally, I found the answer for matching a plaintext value in XML content-type, here is the example:

SecRequestBodyAccess On

SecRule         REQUEST_HEADERS:Content-Type    "text/xml"              "phase:1, nolog,pass,ctl:requestBodyProcessor=URLENCODED, id:2222"

SecRule         REQUEST_BODY                    "some_bad_string"          "phase:2, t:none, deny,msg:'Matched some_bad_string', status:500,auditlog, id:3333"

Here is what it does:

In "phase:1" (REQUEST_HEADERS phase), match if the Content-Type is "text/xml:". If yes, then change the body processing engine to "URLENCODED"
In "phase:2" (REQUEST_BODY phase), match upon the plaintext string "some_bad_string" and block the request with status code: 500.

mod_security - How to process text/xml request_body

1 Answers1