Dear Achim
Thanks a lot for your reply,
It happens in both GET & POST,
Every character which is not English (ASCII capable) will transfer via iso-8859
encoding (if we don't set content type), and when I send a character it becomes
something like %26%231234%3B%26%235678%3B%26%239101%3B, it is URL encoded, but
its decoded is in this form "&#whatever-character;"
I have checked the back-end web application code and it doesn't have any
strange thing, I found that it is default behavior of html <input> tag for
text, so it seems to me that I have to change the rule instead of modsecurity,
what do you think about it? any recommendation for rule changing?
Sincerely yours
IMAN
________________________________
From: Achim <ow...@sic-sec.org>
To: Iman Vakili <ivak...@yahoo.com>
Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org"
<owasp-modsecurity-core-rule-set@lists.owasp.org>
Sent: Wednesday, September 5, 2012 10:40 AM
Subject: Re: [Owasp-modsecurity-core-rule-set] Fw: Fw: Encoding
Iman,
can you please post an example of your request. Is it a GET or POST?
Please keep in mind that most characters must be URL-encoded.
This is (character-)"encoding", while you seem to talk/wonder about
character sets (iso-8859). This means that HTML-Entities (like ۨ)
never appear in the request (except if there're some special settings for
POST requests).
-Achim
Am 04.09.2012 11:28, schrieb Iman Vakili:
>
>
> Sorry, my bad, the character is "ۨ" it uses ";" at the end of the characters
> as a delimiter, and we all know how modsecurity treat with ";"
>
> ~IMAN
>
> ----- Forwarded Message -----
> From: Iman Vakili <ivak...@yahoo.com>
> To: "owasp-modsecurity-core-rule-set@lists.owasp.org"
> <owasp-modsecurity-core-rule-set@lists.owasp.org>
> Sent: Tuesday, September 4, 2012 1:39 PM
> Subject: [Owasp-modsecurity-core-rule-set] Fw: Encoding
>
>
>
>
> I want to complete my question, when I send a character in iso-8859 ,
> something like "ۨ" will transfer and I don't know how to make
> modsecurity to understand this (decode it), it seems that I have to change
> iso-8859 to utf-8 maybe by t.urldecodeuni but I don't know how to transform
> it, also I don't know what is the meaning of codes in the unicode.mapping
> somethng like 01e5:67, anyone can explain their procedure? first I thought it
> is mapping 01e5 to 67 but when I was testing it my hypothesis rejected, even
> if it can map characters what should we do with "&#"?
>
> Sincerely yours
>
> ~IMAN
>
>
> ----- Forwarded Message -----
> From: Iman Vakili <ivak...@yahoo.com>
> To: "owasp-modsecurity-core-rule-set@lists.owasp.org"
> <owasp-modsecurity-core-rule-set@lists.owasp.org>
> Sent: Tuesday, September 4, 2012 8:36 AM
> Subject: [Owasp-modsecurity-core-rule-set] Encoding
>
>
> Hi friends,
>
> I have set parameter matching in UTF8 encoding on modsecurity, but there is a
> web application which using iso-8859-1 for its encoding, and the thing is
> modsecurity will detect every parameter encoded in iso-8859-1 in the post and
> get parameters as an attack, that is natural behavior but I wonder how we can
> support other encoding such as iso-8859-1, also there are some functions
> which I think are ambiguous, like t:urlDecodeUni, I couldn't detect any
> transformation by this function, also SecUnicodeCodePage and
> SecUnicodeMapFile, the thing is it is not clear what exactly mapping do,
> I will be so thankful if you can guide me, do you think I have to change in
> the developing level to support other encodings?
>
> Thanks a lot,
> All the best
>
> ~Iman
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
