I have an application served by Apache, on which mod_security is enabled, and I have been successfully tuning exceptions to avoid false positives using the likes of:
SecRuleUpdateTargetById 981260 !ARGS:'/^PD-.*/'
But now I am facing the case where a request argument carries a password, which could potentially contain every possible combination of characters that mod_security will flag as false positive. So my naive solution would be to disable all rules for that particular argument with something like:
SecRuleUpdateTargetById * !ARGS:'/^PD-.*/'
Is such a thing possible?