CRS for limiting path names length/count

[Alex Hautequest]

While CRS offers a way to block requests based off length of argument name or argument values, I am unable to find anything about path names length or path names count.

ModSecurity blocks buffer overflow attempts such as /file.xyz?aaaaaa(...) (where (...) means a large number of repetition), but I'm seeing a lot of attempts using /aaaaaaa(...)/file.xyz or /a/a/a/a(...)/file.xyz getting thru.

Since I know how deep my content would be, is there any action I can enable to restrict this?

[Christian Folini]

Hey Alex,

There is no prepared rule for this. So you may want to write one yourself.

SecRule REQUEST_FILENAME "@gt 1024" "...,block,t:length, ..."

should do the job. REQUEST_URI if you want the query string as well.

Cheers,

Christian

> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/b483037c-48a9-4c4a-ad4a-af0e1a821188o%40owasp.org.