That did it. I was thinking that the whitelist needed to be loaded first so that the rule would be appropriately skipped, but of course that wouldn’t matter if they were all loaded into memory first.
Thanks, and thanks, Barry for your suggestions. Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Christian Folini<mailto:christian.fol...@netnea.com> Sent: Tuesday, April 26, 2016 3:25 PM To: Colin MacAllister<mailto:cmacallis...@probono.net> Cc: OWASP List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] rules match despite updated target list Colin, Please try and include your whitelist.conf _after_ the owasp_crs. Ahoj, Christian On Tue, Apr 26, 2016 at 06:34:33PM +0000, Colin MacAllister wrote: > I have a cookie by the name of CFAUTHORIZATION_cfadmin which is triggering a > sql injection OWASP base rule. I have in the past successfully circumvented > it with > > SecRuleUpdateTargetById 981318 > "!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfadmin" > > I have this rule in a file called whitelist.conf, and this is being included > in my modsecurity_iis.conf file: > > Include modsecurity.conf > Include modsecurity_crs_10_setup.conf > Include whitelist.conf > Include owasp_crs\base_rules\*.conf > #Include pbncustom.conf > > Modsecurity_iis.conf is being referred to as the base config file in the IIS > directive in the application host file like this: > > <ModSecurity enabled="true" configFile="C:\Program > Files\ModSecurity IIS\modsecurity_iis.conf" /> > > But when I make a request, each of the http gets in a request triggers the > warning about the CFAUTHORIZATION_cfadmin cookie. (The problem is that the > value for the cookie has double quotes around it, which is as far as I know > not changeable.) > > [client 127.0.0.1:51619] ModSecurity: Access denied with code > 403 (phase 2). Pattern match > > "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" > at > REQUEST_COOKIES:CFAUTHORIZATION_cfadmin. > > Does anyone know what might be going on here? I had some confusion about the > SecRuleUpdateTargetByID directive, since some sources made Target plural, and > some had it in singular – even in the same resource. > > Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
