We have an open jira ticket for this and we are working on a json request body parser that will populate ARGS.
-- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Dec 8, 2012, at 11:45 PM, "Ben WIlliams" <benwilliams+ow...@joobworld.com> wrote: > Hi, > I am interested to know how other modsecurity CRS users handle json requests? > Since there is no processor for JSON to break it down into ARGS, the JSON is > compared as one long string which causes a lot of false positives for SQLi, > etc. > My approach so far has been to disable the CRS rules that cause false > positives on JSON. > Has anyone tried luajson or a json schema library to do validation? > > thanks > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
