Find excluded keywords for $_POST/$_GET content with ModSecurity?

Question

Our client has ModSecurity 2.0 with Rule Set 2.0.5 but he told us that minor detail at the end of the development.

I need to audit all the application code and make sure it does not interfere with ModSecurity. (It already does)

I know that you can't submit forms in POST with the key 'content', and 'document' which heavily impacts our application.

Given the number of version/ruleset of ModSecurity, where can I find comprehensible explanation of what I must not use for keys $_GET and $_POST and/or forbidden headers values ?

The documentation I found on the website is too generalistic, or maybe I misread it.

Thanks

Answer 1

welcome to serverfault.

There is no such thing called "key".

Client must provide existing rules that permit or restrict requests or write the new ones or provide a very detailed information about what they block while testing the system in parallel with you. or-or-or

Application code audit won't help you, it's not about the code, it's about operation:

Create document, list how requests and responses are to be sent and received - content, structure, authentication etc - everything - strict document.

Rule Set 2.0.5 won't be just installed, It will be heavily modified or configured. Otherwise it will block most of applications and clients. So, ask client to provide copy of rule files from the server, do not try to use the files from official site - it's useless, it's always modified according to client needs. Then check all the rules one by one (yes, you'll have to learn how rules are written), check where it can interfere with your app, test it on your system, look for audit logs of modsecurity to see where is the problem, rewrite your app, or add new rules.

The documentation I found on the website is too generalistic, or maybe I misread it.

Documentation on the website is VERY detailed, it's huge: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual