inspect REQUEST_BODY when XML Processor is on

[theMiddleBlue]

Hi all,

we're trying to define few rules in order to start handling XXE payloads. The problem (as you can see here SpiderLabs/owasp-modsecurity-crs#1320 (comment)) is that when the request comes with a Content-Type that match the rule 200000, and the body processor is set to XML, we can't access the REQUEST_BODY and we can't also copy it elsewhere (something like setvar:tx.reqbody=%{REQUEST_BODY}).

We need it in order to match something like:
SecRule REQUEST_BODY "@rx <!ENTITY\s+[^\s]+\s+(?!:SYSTEM|PUBLIC)"

Do you have any idea about how to get the REQUEST_BODY content somewhere when XML Processor is active?

Thanks!

[martinhsv]

Hi @theMiddleBlue ,

To clarify, is the question here really only pertaining to v2.9?

In 3.x, REQUEST_BODY should successfully be populated even if the XML body processor has been engaged. (I believe this change of behaviour for when REQUEST_BODY has been populated was an intentional one for v3.x -- although, granted, question has been raised as to whether this is the best way forward ( #2146 ). )

For v2.9, if the XML body processor has been defined for that transaction, then I don't believe there is any way to also have REQUEST_BODY be populated.

There are some workarounds that might be usable in specific cases -- like a specific vulnerable url could turn off the XML parsing engine. If you're trying to write a CRS-style generic rule, however, that won't generally be a practical option.