OWASP modsecurity rule 950119 for Remote File inclusion blocks the following URL:
https://mydomain.com?myparam=http://mysite.com?¶m2=abcd
What's the issue with having ?& in an URL causing it to block ??
Asked
Active
Viewed 326 times
0
Anders
- 64,406
- 24
- 178
- 215
Novice User
- 2,088
- 7
- 26
- 38
-
& is not the issue here. If you take a look at the regex of this rule at https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf#L159, it is only searching for ? after the protocol and domain name. It is searching these in a ARGS variable which include the GET and POST variables. Domain names in either of the variables mean RFI in most of the cases that is why it is detecting those. – void_in Oct 20 '16 at 08:08
-
Then why it doesn't block when i have ?myparam=http://mysite.com¶m2=abcd – Novice User Oct 20 '16 at 17:41