(Sent my payload to Christian offline.) One thing I should add is that for every rule ID I intend to circumvent I have a few lines line like this: SecRuleUpdateTargetById 950018 "!ARGS:'/text|Blurb|myxml|MailMessage|BodyField|TextEmail /'" ... with the 2 subsequent lines include other arguments to ignore.
-----Original Message----- From: Christian Folini [mailto:christian.fol...@netnea.com] Sent: Friday, May 13, 2016 2:40 PM To: Colin MacAllister <cmacallis...@probono.net> Cc: OWASP CRS Mailing List <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] arg name not resolving for large post value On Fri, May 13, 2016 at 06:28:52PM +0000, Colin MacAllister wrote: > The payload is not correct. The initial payload is something like "blurb=A > stitch in time saves nine", but what comes through is just "ime saves nine", > and mod security tries to interpret that as one of the argnames instead of " > blurb". I'm pretty sure this isn't by design. Thanks for pointing this out, Colin. Please provide the exact and complete payload. I think it really matters in order to reproduce this issue. Ahoj, Christian -- Every man takes the limits of his own field of vision for the limits of the world. -- Arthur Schopenhauer _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
