Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ModSec 3.0 fails on new rule 901350 (enforce body processor URLENCODED)

See original GitHub issue

_Issue originally created by user dune73 on date 2018-06-05 13:22:02. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1120._

Houston, we have a problem.

ModSec 3.0 implements ctl:requestBodyProcessor=JSON, but fails to run with ctl:requestBodyProcessor=URLENCODED.

I have opened an issue over at ModSec: https://github.com/SpiderLabs/ModSecurity/issues/1797

This issue could mean, that we do not support ModSec 3.0 with our 3.1 release. I hope it gets fixed in ModSec 3.0, or ModSec and our project both are in a tricky situation.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:20

github_iconTop GitHub Comments

1reaction
CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2018-06-20 21:04:02:

Thank you for sharing your view. I agree that there are PROs and CONs. Having it in the recommended rules and if even as an option, would ease things for us, as it is a setting that changes the behavior of the engine and we would like CRS to have no side effects if possible.

If it is part of the recommended rules, then we can simply point to said rules in our documentation and tell people to enable it for a really secure setup.

I’ll open an issue.

1reaction
CRS-migration-botcommented, May 13, 2020

User victorhora commented on date 2018-06-20 14:29:01:

I’m not sure about enforcing URLENCODED by default dune73. I see positive and negative aspects about it. But I’d say if it’s something that most would like to see, an issue about it should be opened for discussion and adding it to the file but leaving disabled by default can also be an option.

Read more comments on GitHub >

github_iconTop Results From Across the Web

ModSec 3.0 fails on new rule 901350 (enforce body processor ...
Houston, we have a problem. ModSec 3.0 implements ctl:requestBodyProcessor=JSON, but fails to run with ctl:requestBodyProcessor=URLENCODED.
Read more >
Known Issues - OWASP ModSecurity Core Rule Set
Apache may give an error on startup when the CRS is loaded: ... Support for the URLENCODED body processor was only added in...
Read more >
OWASP ModSecurity Core Rule Set
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application...
Read more >
ModSecurity Rule Writing Workshop - Feisty Duck
Invalid URL encoding is often used as an evasion technique against the applications and platforms that accept (and possibly process) invalid URL encoded...
Read more >
Embedding ModSecurity – Welcome to netnea
In the action part of the rule deny is applied for the first time. The request should thus be blocked if processing the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Review usage of tx.0

Next page

960010 being fired despite POST & application/x-www-form-urlencoded