无法使用 ModSecurity 访问命名空间中的 XML 元素

Cannot access XML element within a namespace using ModSecurity

提问人:lostsource 提问时间:11/16/2023 最后编辑:lostsource 更新时间:11/17/2023 访问量:29

问:

我有以下规则

SecRule REQUEST_URI "@beginsWith /testing-endpoint" "id:10003,phase:2,t:lowercase,log,msg:'TESTING_SOAP BLOCKED',deny,chain"
SecRule XML:/soap12:Envelope/soap12:Body/level1/level2/data ".*" "id:11003,xmlns:level1=http://www.erpx.example.com/,xmlns:soap12=http://www.w3.example.org/2003/05/soap-envelope,xmlns:xsd=http://www.w3.example.org/2001/XMLSchema,xmlns:xsi=http://www.w3.example.org/2001/XMLSchema-instance"

ModSecurity 规则旨在访问以下有效负载<data>AAAA-BBBB</data>

<?xml version="1.0" encoding="ISO-8859-1"?>
<soap12:Envelope xmlns:xsi=http://www.w3.example.org/2001/XMLSchema-instance xmlns:xsd=http://www.w3.example.org/2001/XMLSchema xmlns:soap12=http://www.w3.example.org/2003/05/soap-envelope>
  <soap12:Body>
    <level1 xmlns=http://www.erpx.example.com/>
      <level2>
        <data>AAAA-BBBB</data>  <!-- Trying to access this -->
        <dataOther>Testing Purposes Only</dataOther>
      </level2>
    </level1>
  </soap12:Body>
</soap12:Envelope>

这是失败的,但是如果我从 中删除属性,一切都按预期工作。xmlns<level1 xmlns=http://www.erpx.example.com/>

这些是日志的相关部分

[170006830474.797743] [/testing-endpoint] [4] (Rule: 11004) Executing operator "Rx" with param ".*" against XML:/soap12:Envelope/soap12:Body/level1/level2/data.
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.erpx.example.com/" prefix "level1"
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.w3.org/2003/05/soap-envelope" prefix "soap12"
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.w3.org/2001/XMLSchema" prefix "xsd"
[170006830474.797743] [/testing-endpoint] [4] Registered XML namespace href "http://www.w3.org/2001/XMLSchema-instance" prefix "xsi"
[170006830474.797743] [/testing-endpoint] [4] Rule returned 0.

我一定错过了一些明显的东西,知道我如何通过/忽略该命名空间吗?

nginx xml命名空间 mod-security

评论


答:

2赞 Kevin Attard Compagno 11/17/2023 #1

在与 OP 协商后,似乎可以使用以下 SecRule 解决此问题:

SecRule XML:/soap12:Envelope/soap12:Body/*[local-name()='level1']/*[local-name()='level2']/*[local-name()='data'] ".*" "id:11003,xmlns:level1=http://www.erpx.example.com/,xmlns:soap12=http://www.w3.example.org/2003/05/soap-envelope,xmlns:xsd=http://www.w3.example.org/2001/XMLSchema,xmlns:xsi=http://www.w3.example.org/2001/XMLSchema-instance"

评论

0赞 lostsource 11/17/2023
🤦🏻 ♂️不知道 Rule 语法是完全飞翼的 XPath。👍🏻