0

I have a question how to deal with whitelisting field arrays in modsecurity. Currently am doing the following:

... ctl:ruleRemoveTargetById=942510;ARGS:_owc_pdc_faq_group[0][pdc_faq_answer]"
... ctl:ruleRemoveTargetById=942510;ARGS:_owc_pdc_faq_group[1][pdc_faq_answer]"
... ctl:ruleRemoveTargetById=942510;ARGS:_owc_pdc_faq_group[2][pdc_faq_answer]"
... ctl:ruleRemoveTargetById=942510;ARGS:_owc_pdc_faq_group[3][pdc_faq_answer]"

Now for WP there is a limited amount of items. But another application has near unlimited fields. As far as I have found there is no way to use regex for the target parameter. I also don't believe it's possible to cut the field parameter short as there is no wildcard at the end of the field.

This wont work for the examples above:

... ctl:ruleRemoveTargetById=942510;ARGS:_owc_pdc_faq_group"
... ctl:ruleRemoveTargetById=942510;ARGS:_owc_pdc_faq_group*"

I don't want to drop the field parameter if I don't have to. I would love to hear any suggestions you may have.

Eddie4
  • 1
  • 1

1 Answers1

0

This is a tricky one and I have to confirm your conclusions.

It would be sweet if the following form would work, but it does not:

SecRule ARGS:/test.*/   "@unconditionalMatch"   "id:1006,phase:1,pass,ctl:ruleRemoveTargetById=930120;%{MATCHED_VAR_NAME}"

So I guess dropping the rule for all of ARGS is the next best thing you can do. Maybe limit the rule exclusions to the path as well.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Christian Folini
  • 1