Hi Neeraj, Can you double check if the application is receiving the request body at all? are you using others IIS modules in combination with ModSecurity?
There is a bug opened, regarding to the ModSecurityIIS module and request body contents. The link to the bug is available here: https://github.com/SpiderLabs/ModSecurity/issues/562 Check if, by setting SecRequestBodyAccess to "off" your application starts to perform well again. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> On May 19, 2014, at 4:09 PM, Neeraj.Chaudhary <nee...@rockonllc.com<mailto:nee...@rockonllc.com>> wrote: Hi, It's been few days trying to figure out what is going wrong and where, but now I am stumped and need help from you guys. I am using mod_security on ISS version 8.0.9200.16384. The same code works fine without mod_security but as soon as I enable mod_security I get the below mentioned response. Which shows that the parameter userName is not proper. I debugged and looked into all possible concerns but unable to find an error. I am using jQuery AJAX {"Message":"Invalid web service call, missing value for parameter: \u0027userName\u0027.","StackTrace":" at System.Web.Script.Services.WebServiceMethodData.CallMethod(Object target, IDictionary`2 parameters)\r\n at System.Web.Script.Services.RestHandler.InvokeMethod(HttpContext context, WebServiceMethodData methodData, IDictionary`2 rawParams)\r\n at System.Web.Script.Services.RestHandler.ExecuteWebServiceCall(HttpContext context, WebServiceMethodData methodData)","ExceptionType":"System.InvalidOperationException"} Request Body : {"userName": "neeraj.chaudhary", "password": "Abcd123"} Aspx webmethod signature is [WebMethod] public static string Login(string userName, string password) I shall be delighted if someone can point out what can be done in this case. Maybe change in rule or anything which can help me pass through this scenario. Regards, Neeraj Chaudhary +1 925 359 9074 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
