Modsecurity rule for blocking a request when a parameter doesn't meet a regex

Question

I am trying to create modsecurity rule which needs to block a request when a parameter doesn't meet a certain regex.
Let's take an email regex as example: (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)
and for the parameter: email
location of the page (needs to be included in the rule): /signup.php
What I tried (but I assume is not correct at all):

SecRule REQUEST_URI "@contains signup.php" "id:1,t:none,block,chain"
SecRule ARGS:email "!@rx wtvr" "t:none"

So if someone posts a get request like: "/signup.php?email=alert..." it will be blocked.

score 0 · Accepted Answer · answered Mar 08 '16 at 17:51

0

I've found a possible solution:

SecRule REQUEST_URI "@contains signup.php" "id:1,phase:2,log,deny,status:503,msg:'custom email hack detected',chain"
SecRule ARGS:email "!@rx (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)" "t:none"

answered Mar 08 '16 at 17:51

yoano

1,466
2
16
20

Looks good to me. Though I would say that specific checks like this probably belong in your app rather than a WAF if at all possible. – Barry Pollard Mar 08 '16 at 20:22

Modsecurity rule for blocking a request when a parameter doesn't meet a regex

1 Answers1