I'm trying to process REQUEST_BODY of web request, which has Content-Type: text/xml and some XML inside it.
Let say I have the following request:
curl -v -d
"
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<value>
<struct>
<member>
<name>SomeName</name>
<value>SomeValue</value>
</member>
</struct>
</value>
</methodResponse>
"
-H "Content-Type:text/xml" http://gryzli.info/some_url.php
What I need is to be able to match the REQUEST_BODY against "SomeName" or "SomeValue" as plain text string.
I have already tried the following things:
1. Trying to match on phase 2, with following keywords:
SecRule REQUEST_BODY "SomeValue" "phase:2, ....." - No success
SecRule FULL_REQUEST "SomeValue" "phase:2, ....." - No success
SecRule ARGS "SomeValue" "phase:2, ....." - No success
2. In addition to the rules above, I tried to activate these rules in different combinations:
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,id:100000,t:lowercase,nolog,pass, ctl:requestBodyProcessor=MULTIPART"
OR
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,id:100000,t:lowercase,nolog,pass, ctl:requestBodyProcessor=URLENCODED"
OR
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,id:100000,t:lowercase,nolog,pass, ctl:forceRequestBodyVariable=On"
Again – without success.
The real question:
Does anybody know how to match a simple plain text string inside REQUEST_BODY when my client request is of Content-Type: text/xml ?
Also I prefer to NOT use the XML engine, which can parse my XML, because I expect large performance penalty of doing this.
Best Answer
Finally, I found the answer for matching a plaintext value in XML content-type, here is the example:
Here is what it does:
In "phase:1" (REQUEST_HEADERS phase), match if the Content-Type is "text/xml:". If yes, then change the body processing engine to "URLENCODED"
In "phase:2" (REQUEST_BODY phase), match upon the plaintext string "some_bad_string" and block the request with status code: 500.