Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
960010 being fired despite POST & application/x-www-form-urlencoded
See original GitHub issue_Issue originally created by user bitsofinfo on date 2018-03-26 03:10:10. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1056._
Using CRS 2.2.9, Modsecurity 2.9.2
Running with a pretty vanilla CRS 2.2.9 install
Clueless as to why this rule is being tripped. The way I understand it this is validating that a POST request has a valid Content-Type
The rule being tripped:
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
Contents of tx.allowed_request_content_type
SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
nolog, \
pass"
Audit log of the failure. This is clearly a POST with valid content type of application/x-www-form-urlencoded
{
"transaction": {
"time": "26/Mar/2018:02:57:24 +0000",
"transaction_id": "WrhhlOPQJn96OyT7i2RxvAAAAAA",
"remote_address": "127.0.0.1",
"remote_port": 55400,
"local_address": "127.0.0.1",
"local_port": 9010
},
"request": {
"request_line": "POST /serials HTTP/1.1",
"headers": {
"Host": "dog.test.com",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "en-US,en;q=0.9,pt;q=0.8,sv;q=0.7",
"Cache-Control": "max-age=0",
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": "JSESSIONID=(J2EE1049000)xx; xx=xx=; dog=xx; dtcolumns_serials=3%2C4; tests=xx-xx-xx-4A_B-x-x-x-x.",
"Origin": "https://dog.test.com",
"Referer": "https://dog.test.com/",
"Upgrade-Insecure-Requests": "1",
"X-Forwarded-For": "10.255.0.11, 10.0.1.227",
"X-Forwarded-Host": "dog.test.com, dog.test.com",
"X-Forwarded-Port": "443",
"X-Forwarded-Proto": "https",
"X-Forwarded-Server": "2cfd373ef6f6, 10.0.1.230",
"X-BOF-Debug": "true",
"X-Real-Ip": "10.255.0.11",
"X-BOF-B3-TraceId": "dddd",
"X-BOF-B3-ParentSpanId": "",
"X-BOF-B3-SpanId": "dddd",
"X-BOF-Http-Host-Context": "party",
"Connection": "Keep-Alive",
"Content-Length": "81"
}
},
"response": {
"protocol": "HTTP/1.1",
"status": 406,
"headers": {
"Vary": "X-BOF-B3-TraceId",
"Last-Modified": "Mon, 26 Feb 2018 22:11:52 GMT",
"ETag": "\"4d3-56624cc0fda00\"",
"Accept-Ranges": "bytes",
"Content-Length": "1235",
"X-BOF-Debug-Info": "stage.stage-dbzgus.BOF-party-stage-dbzgus-7-0-0--1-8.7.0.0--1-8_7.0.0--1-8**110**-BOF-apache-modsecurity.conf.f8a16de5f25c_[t=1522033044460013 D=1198 - l=0.05/0.04/0.05 i=75 b=25]",
"Keep-Alive": "timeout=5, max=100",
"Connection": "Keep-Alive",
"Content-Type": "text/html; charset=UTF-8"
}
},
"audit_data": {
"messages": [" [file \"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf\"] [line \"64\"] [id \"960010\"] [rev \"2\"] [msg \"Request content type is not allowed by policy\"] [data \"application/x-www-form-urlencoded\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/2.2.9\"] [maturity \"9\"] [accuracy \"9\"] [tag \"OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED\"] [tag \"WASCTC/WASC-20\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/EE2\"] [tag \"PCI/12.1\"] Access denied with code 406 (phase 1). Match of \"rx ^%{tx.allowed_request_content_type}$\" against \"TX:0\" required."],
"error_messages": ["[file \"apache2_util.c\"] [line 271] [level 3] [client 127.0.0.1] ModSecurity: [file \"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf\"] [line \"64\"] [id \"960010\"] [rev \"2\"] [msg \"Request content type is not allowed by policy\"] [data \"application/x-www-form-urlencoded\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/2.2.9\"] [maturity \"9\"] [accuracy \"9\"] [tag \"OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED\"] [tag \"WASCTC/WASC-20\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/EE2\"] [tag \"PCI/12.1\"] Access denied with code 406 (phase 1). Match of \"rx ^%{tx.allowed_request_content_type}$\" against \"TX:0\" required. [hostname \"dog.test.com\"] [uri \"/serials\"] [unique_id \"WrhhlOPQJn96OyT7i2RxvAAAAAA\"]", "[file \"mod_authz_core.c\"] [line 809] [level 7] AH01626: authorization result of Require all granted: granted", "[file \"mod_authz_core.c\"] [line 809] [level 7] AH01626: authorization result of <RequireAny>: granted"],
"action": {
"intercepted": true,
"phase": 1,
"message": "Match of \"rx ^%{tx.allowed_request_content_type}$\" against \"TX:0\" required."
},
"stopwatch": {
"p1": 752,
"p2": 0,
"p3": 0,
"p4": 0,
"p5": 253,
"sr": 52,
"sw": 0,
"l": 0,
"gc": 0
},
"producer": ["ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/)", "OWASP_CRS/2.2.9"],
"server": "Apache",
"engine_mode": "ENABLED"
},
"matched_rules": [{
"chain": false,
"rules": [{
"actionset": {
"id": "900001",
"phase": 1,
"is_chained": false
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/httpd/modsecurity.d/BOF_modsecurity_crs_10_setup.conf",
"line_num": 100
},
"unparsed": "SecAction \"phase:1,status:406,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass\"",
"is_matched": true
}]
}, {
"chain": false,
"rules": [{
"actionset": {
"id": "900002",
"phase": 1,
"is_chained": false
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/httpd/modsecurity.d/BOF_modsecurity_crs_10_setup.conf",
"line_num": 131
},
"unparsed": "SecAction \"phase:1,status:406,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass\"",
"is_matched": true
}]
}, {
"chain": false,
"rules": [{
"actionset": {
"id": "900003",
"phase": 1,
"is_chained": false
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/httpd/modsecurity.d/BOF_modsecurity_crs_10_setup.conf",
"line_num": 141
},
"unparsed": "SecAction \"phase:1,status:406,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass\"",
"is_matched": true
}]
}, {
"chain": false,
"rules": [{
"actionset": {
"id": "900021",
"phase": 1,
"is_chained": false
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:REAL_IP",
"negated": false
},
"config": {
"filename": "/etc/httpd/modsecurity.d/BOF_modsecurity_crs_10_setup.conf",
"line_num": 438
},
"unparsed": "SecRule \"&TX:REAL_IP\" \"@eq 0\" \"phase:1,status:406,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass\"",
"is_matched": true
}]
}, {
"chain": true,
"rules": [{
"actionset": {
"id": "960012",
"rev": "1",
"version": "OWASP_CRS/2.2.9",
"severity": 4,
"accuracy": 9,
"maturity": 9,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": ["OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ", "CAPEC-272"]
},
"operator": {
"operator": "rx",
"operator_param": "^POST$",
"target": "REQUEST_METHOD",
"negated": false
},
"config": {
"filename": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf",
"line_num": 312
},
"unparsed": "SecRule \"REQUEST_METHOD\" \"@rx ^POST$\" \"phase:1,log,status:406,msg:'POST request missing Content-Length Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain\"",
"is_matched": true
}, {
"actionset": {
"phase": 1,
"is_chained": true
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&REQUEST_HEADERS:Content-Length",
"negated": false
},
"config": {
"filename": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf",
"line_num": 317
},
"unparsed": "SecRule \"&REQUEST_HEADERS:Content-Length\" \"@eq 0\" \"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}\"",
"is_matched": false
}],
"full_chain_match": false
}, {
"chain": true,
"rules": [{
"actionset": {
"id": "960010",
"rev": "2",
"version": "OWASP_CRS/2.2.9",
"severity": 2,
"accuracy": 9,
"maturity": 9,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": ["OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED", "WASCTC/WASC-20", "OWASP_TOP_10/A1", "OWASP_AppSensor/EE2", "PCI/12.1"]
},
"operator": {
"operator": "rx",
"operator_param": "^(?:GET|HEAD|PROPFIND|OPTIONS)$",
"target": "REQUEST_METHOD",
"negated": true
},
"config": {
"filename": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf",
"line_num": 64
},
"unparsed": "SecRule \"REQUEST_METHOD\" \"!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$\" \"phase:1,log,status:406,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}\"",
"is_matched": true
}, {
"actionset": {
"phase": 1,
"is_chained": true
},
"operator": {
"operator": "rx",
"operator_param": "^([^;\\s]+)",
"target": "REQUEST_HEADERS:Content-Type",
"negated": false
},
"config": {
"filename": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf",
"line_num": 65
},
"unparsed": "SecRule \"REQUEST_HEADERS:Content-Type\" \"@rx ^([^;\\\\s]+)\" \"chain,capture\"",
"is_matched": true
}, {
"actionset": {
"phase": 1,
"is_chained": true
},
"operator": {
"operator": "rx",
"operator_param": "^%{tx.allowed_request_content_type}$",
"target": "TX:0",
"negated": true
},
"config": {
"filename": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf",
"line_num": 66
},
"unparsed": "SecRule \"TX:0\" \"!@rx ^%{tx.allowed_request_content_type}$\" \"t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}\"",
"is_matched": true
}],
"full_chain_match": true
}]
}
Debug log
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Recipe: Invoking rule 55a3e788c690; [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"].
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][5] Rule 55a3e788c690: SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,log,status:406,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}"
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Transformation completed in 2 usec.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Executing operator "!rx" with param "^(?:GET|HEAD|PROPFIND|OPTIONS)$" against REQUEST_METHOD.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Target value: "POST"
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Operator completed in 1 usec.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Rule returned 1.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Match -> mode NEXT_RULE.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Recipe: Invoking rule 55a3e7959020; [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "65"].
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][5] Rule 55a3e7959020: SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture"
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Transformation completed in 1 usec.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Executing operator "rx" with param "^([^;\\s]+)" against REQUEST_HEADERS:Content-Type.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Target value: "application/x-www-form-urlencoded"
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Added regex subexpression to TX.0: application/x-www-form-urlencoded
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Added regex subexpression to TX.1: application/x-www-form-urlencoded
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Operator completed in 8 usec.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Rule returned 1.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Match -> mode NEXT_RULE.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Recipe: Invoking rule 55a3e795a2b0; [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "66"].
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][5] Rule 55a3e795a2b0: SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Transformation completed in 1 usec.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Executing operator "!rx" with param "^%{tx.allowed_request_content_type}$" against TX:0.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Target value: "application/x-www-form-urlencoded"
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][6] Escaping pattern [^$]
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Operator completed in 11 usec.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Ctl: Set requestBodyAccess to 1.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Setting variable: tx.msg=%{rule.msg}
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Resolved macro %{rule.msg} to: Request content type is not allowed by policy
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Set variable "tx.msg" to "Request content type is not allowed by policy".
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Setting variable: tx.anomaly_score=+%{tx.critical_anomaly_score}
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Recorded original collection variable: tx.anomaly_score = "0"
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Resolved macro %{tx.critical_anomaly_score} to: 5
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Relative change: anomaly_score=0+5
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Set variable "tx.anomaly_score" to "5".
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Setting variable: tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Resolved macro %{rule.id} to: 960010
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Resolved macro %{matched_var_name} to: TX:0
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Resolved macro %{matched_var} to: application/x-www-form-urlencoded
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Set variable "tx.960010-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-TX:0" to "application/x-www-form-urlencoded".
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][4] Rule returned 1.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Match, intercepted -> returning.
[26/Mar/2018:02:57:24 +0000] [dog.test.com/sid#55a3e75423d8][rid#55a3e8ad42e0][/serials][9] Resolved macro %{matched_var} to: application/x-www-form-urlencoded
Issue Analytics
- State:
- Created 3 years ago
- Comments:10
Top Results From Across the Web
960010 being fired despite POST & application/x-www-form ...
Using CRS 2.2.9, Modsecurity 2.9.2 Running with a pretty vanilla CRS 2.2.9 install Clueless as to why this rule is being tripped.
Read more >post application/x-www-form-urlencoded Alamofire
default will appends an encoded string to the query of Request URL like https://httpbin.org/get?foo=bar and for POST requests URLEncoding.
Read more >Solved: application/x-www-form-urlencoded content type err...
The problem with the webhook is that it sends the payload with a content type of application/x-www-form-urlencoded. I'm now getting this weird error...
Read more >html - URL Encoded and Multipart Forms - DEV Community
application /x-www-form-urlencoded - Represents a URL encoded form. This is the default value if enctype attribute is not set to anything.
Read more >Difference between application/x-www-form-urlencoded and ...
It is similar to URL encoding and normal GET request where data is sent on URL, but form data goes inside POST request...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
User bitsofinfo commented on date 2018-03-26 17:11:39:
Sorry for the giant waste of time, looks like there was some rouge conf from an old build in a subdirectory with the statement
SecRuleRemoveById 900012… arg…User spartantri commented on date 2018-03-26 15:32:06:
you can try changing your setup rule to be noisy