ModSecurity

Transformation functions

Transformation functions are used to transform a variable before testing it in a rule. The following rule will ensure that an attacker does not use mixed case in order to evade the ModSecurity rule:

SecRule ARG:p "xp_cmdshell" "t:lowercase"
multipe tranformation actions can be used in the same rule, for example the following rule also ensures that an attacker does not use URL encodign (%xx encoding) for evasion. Not the order of the transformation functions, which ensures that a URL encoded letter is first decoded and than translated to lower case. 

SecRule ARG:p "xp_cmdshell" "t:urlDecode,t:lowercase"

One can use the SetDefaultAction command to ensure the translation occurs for every rule until the next. Note that translation actions are additive, so if a rule explicitly list actions, the translation actions set by SetDefaultAction are still performed.

SecDefaultAction t:urlDecode,t:lowercase

The following transformation functions are supported:

  1. lowercase (enabled by default) - converts all charactes to lowercase using the current C locale.

  2. replaceNulls (enabled by default) - replaces NULL bytes in input with spaces (32).

  3. removeNulls - removes NULL bytes from input.

  4. compressWhitespace (enabled by default) - converts whitespace characters (32, \f, \t, \n, \r, \v, 160) to spaces (32) and then compresses multiple space characters into only one.

  5. removeWhitespace - removes all whitespace characters.

  6. replaceComments - replaces each occurence of a C-style comments (/* ... */) with a single space (multiple consecutive occurences of a space will not be compressed). Unterminated comments will too be replaced with a space. However, a standalone termination of a comment (*/) will not be acted upon.

  7. urlDecode - decodes an URL-encoded input string. Invalid encodings (i.e. the ones that use non-hexadecimal characters, or the ones that are at the end of string and have one or two characters missing) will not be converted. If you want to detect invalid encodings use the @validateUrlEncoding operator. The transformational function should not be used against variables that have already been URL-decoded unless it is your intention to perform URL decoding twice!

  8. urlEncode - encodes input using URL encoding.

  9. urlDecodeUni - In addition to decoding %xx like urlDecode, urlDecodeUni also decodes %uXXXX encoding (only the lower byte will be used, the higher byte will be discarded).

  10. base64Encode - encodes input string using base64 encoding.

  11. base64Decode - decoes a base64-encoded string.

  12. md5 - calculates an MD5 hash from input.

  13. sha1 - calculates a SHA1 hash from input.

  14. hexDecode - decodes a hex-encoded string.

  15. hexEncode - encodes input as hex-encoded string.

  16. htmlEntityDecode - decodes HTML entities present in input. The following variants are supported:

    • &#xHH and &#xHH; (where H is any hexadecimal number)

    • &#DDD and &#DDD; (where D is any decimal number)

    • &quot and "

    • &nbsp and  

    • &lt and <

    • &gt and >

  17. escapeSeqDecode - decode ANSI C escape sequences: \a, \b, \f, \n, \r, \t, \v, \\, \?, \', \", \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in the output.

  18. normalisePath - will remove multiple slashes, self-references and directory back-references (except when they are at the beginning of the path).

  19. normalisePathWin - as above, but will first convert backslash characters to forward slashes.

  20. none - this not an actual transformation function but an instruction to ModSecurity to remove all transformation functions associated with the current rule and start from scratch.

Copyright (C) 2004-2006 Breach Security