(For some reason I didn¹t get the direct email response.) After doing some more research, I think it¹s relates to the fact that the <script> is in a JSON payload, and it turns out I¹m not running a recent enough version of mod security which supports JSON parsing. CentOS 7.1 is only packaging 2.7.3, where as JSON parser comes in 2.8.
I¹m working on manually upgrading and trying again to see if that helps. Thanks, Brian >Date: Sun, 6 Mar 2016 06:27:29 +0100 >From: Walter Hop <mod...@spam.lifeforms.nl> >To: "owasp-modsecurity-core-rule-set@lists.owasp.org" > <owasp-modsecurity-core-rule-set@lists.owasp.org> >Subject: Re: [Owasp-modsecurity-core-rule-set] ARGS working against > PUT? >Message-ID: <9e49377c-5365-45a5-b142-6e8d29626...@spam.lifeforms.nl> >Content-Type: text/plain; charset="utf-8" > >ARGS should be working on PUT. I wasn?t able to reproduce this problem >myself. Would it be possible for you to post the request headers to the >mailinglist? > >I?m thinking maybe the client is not sending a "Content-Type: >application/x-www-form-urlencoded? header, so ModSecurity might not be >parsing the request body for arguments. But this is just a guess. > >Cheers! >WH > >> On 05 Mar 2016, at 23:44, Brian Davis (bridavis) <brida...@cisco.com> >>wrote: >> >> We?re testing ModSecurity against some easy XSS tests. We have a PUT >>REST Call in which we embed <script>alert(document.cookie)</script> into >>a text dialog box, which should be easily picked up by RuleID:973336, >>but for some reason it?s not. debug_cache log says no match. >> >> Does ARGS work on PUTs in addition to POST? Reference documentation >>only seems to mention POST. >> >> Additionally, I tried to use the FULL_REQUEST target to see if that >>would help, but I?m getting an error: Error creating rule: Unknown >>variable: FULL_REQUEST, but SecRequestBodyAccess On is in >>mod_security.conf. >> >> This seems to be a very simple test in which mod_security should catch >>this, but not such luck. >> >> Any thoughts? >> >> Thanks, >> Brian >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >-- >Walter Hop | PGP key: https://lifeforms.nl/pgp _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
