Hi everyone,
The argument 'login[password]' causes many false-positives because of
special-characters. I didn't want to remove the argument globally, so I
tried to limit it only to our login-sites. This could be multiple sites
because of internationalization, example:
https://www.mydomain.invalid/fr/login
https://www.mydomain.invalid/en/login
https://www.mydomain.invalid/nl/login
So i created the configuration like below but it doesn't trigger at all.
Did I make a mistake? It works without the Location-tags like a charm,
but it isn't good to ignore arguments globally.
Software-Versions:
libapache2-modsecurity 2.7.5
modsecurity-crs 2.2.8
apache2* 2.2.16-6+squeeze11
===============================
~> cat modsecurity_crs_70_post_custom.conf
<Location ~ "^/../login$">
SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"
"!ARGS:login[password]"
SecRuleUpdateTargetByTag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"
"!ARGS:login[password]"
SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/XSS"
"!ARGS:login[password]"
SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/LDAP_INJECTION"
"!ARGS:login[password]"
</Location>
===============================
Best regards,
Jan
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
