-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malicious POST request logged as GET request in audit logs #3302
Comments
I have conducted a further investigation and can note that even a request which triggerers a CRS rule has the same issue.
In the audit logs this is logged as a GET and not a POST. |
I believe this issue relates to the REQUEST_METHOD being reset on redirection: Issue My Nginx configuration involves a redirect:
There is a workaround metioned by @hator
|
This issue seems to be a duplicate of another issue opened earlier in the Modsecurity-Nginx connector Issue Hence I am closing it. |
Describe the bug
I have created a custom rule to detect the word
confidential
in theREQUEST_BODY
. If the word is detected, the action to undertake isdeny
. However when I make thisPOST
request the request is logged as aGET
in the audit logs.Here is the custom rule:
Logs and dumps
Audit Logs
Debug Logs (Level 9)
Modsecurity-Debug-Logs-Level-9.txt
A more closer view:
In the logs above you can see that for the same
unique_id
8f198db9483934603d69ce8654326042, theREQUEST_METHOD
variable value changes fromPOST
toGET
Error Logs:
In the error log the same request gets logged twice, it gets logged as POST request.
To Reproduce
POST
endpoint in the server/webApp protected by the WAF.Curl Command
curl --location 'http://<domain>/check' \ --header 'Content-Type: application/json' \ --data '{"confidential":true}'
Expected behavior
The audit logs should log the request as
POST
and notGET
.Server (please complete the following information):
Rule Set (please complete the following information):
Additional context
I can see that the transaction starts again when the custom rule is triggered.
I am not sure if this is the expected behaviour from the backed. After this process it seems that the request goes through all the 4 phases again, however this time the
REQUEST_METHOD
becomesGET
The text was updated successfully, but these errors were encountered: