Hi all, Thanks in advance for any help you can provide. I'm attempting to configure mod_security and the core rule set to handle traffic for our web application and am getting stuck trying to figure out the intended behavior of rule 950107. The problem I'm running into seems to stem from the fact that a literal % is being URI-encoded inside a query string (done "automagically" by jQuery in my case). As I'm reading rule 950109, it looks like any encoded character will cause it to trigger, which seems like not the intent of the rule (based on the name). I'd expect the rule to fire only in the case where the encoded % (%25) were then followed by two more (or u+4 more) digits, which would result from URI-encoding a string twice. While the encoding of the % as %25 isn't strictly necessary, I don't think it is, in and of itself, necessarily a problem. Here is an example request:
GET /searchController.jsp?searchText=%25name&maxResults=50 So I suppose I have a three-part question: 1. What, if anything, am I missing about the intent and implementation of 950109? 2. If its behavior is deemed to be "correct", how would you suggest working around this? I have been trying to be surgical about modifying the core rules, only either whitelisting entire endpoints or by removing selected rules by ID after all had been loaded. I am sure I could re-add a modified version of 950109 that will not trigger on the particular endpoint in question, but is there a better way? 3. If its behavior is deemed to be incorrect, how should we (I) change it? -m
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
