Hello there, I noticed that the version 3 of CRS ruleset sometimes transforms the rule phase: from phase:1 (v2.2.9) to phase:request. But phase:request just translates to phase:2 (request body) and, if I understand the phase processing correctly, requests that do not contain a body will not be checked against phase:2 rules. (Well, this is what I observe in my debugging logs. Don't know if it is the ModSecurity standard behavior or if it comes from my implementation.)
A typical example is the rule id 960911 (REQUEST-20-PROTOCOL-ENFORCEMENT) which validates the HTTP request line: it seems to me that it should be validated for requests including those without body, but the phase is now phase:request on CRS v3. Besides, there are a lot of other examples in REQUEST-21-PROTOCOL-ATTACK where it seems to me that the rules should be put on phase:1. (E.g. smuggling, response splitting.) The same applies to REQUEST-10-IP-REPUTATION. Do I miss something ? Is this a conscious choice ? Thanks for enlightening me. Regards, Aymeric Chaib # " This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
