owasp-modsecurity · Sebitosh · Apr 24, 2025
diff --git a/config_tests/CONF_007_TARGET_ARGS_POST.yaml b/config_tests/CONF_007_TARGET_ARGS_POST.yaml
@@ -0,0 +1,41 @@
+target: ARGS_POST
+rulefile: MRTS_007_ARGS_POST.conf
+testfile: MRTS_007_ARGS_POST.yaml
+templates:
+- SecRule for TARGETS
+colkey:
+- - ''
+- - arg1
+- - arg1
+  - arg2
+- - /^arg_.*$/
+operator:
+- '@contains'
+oparg:
+- attack
+phase:
+- 2
+- 3
+- 4
+testdata:
+  phase_methods:
+    2: post
+    3: post
+    4: post
+  targets:
+    - target: ''
+      test:
+        data:
+          foo: attack
+    - target: arg1
+      test:
+        data:
+          arg1: attack
+    - target: arg2
+      test:
+        data:
+          arg2: attack
+    - target: /^arg_.*$/
+      test:
+        data:
+          arg_foo: attack
diff --git a/config_tests/CONF_008_TARGET_ARGS_POST_NAMES.yaml b/config_tests/CONF_008_TARGET_ARGS_POST_NAMES.yaml
@@ -0,0 +1,41 @@
+target: ARGS_POST_NAMES
+rulefile: MRTS_008_ARGS_POST_NAMES.conf
+testfile: MRTS_008_ARGS_POST_NAMES.yaml
+templates:
+  - SecRule for TARGETS
+colkey:
+  - - ''
+  - - attack1
+  - - attack1
+    - attack2
+  - - /^attack_.*$/
+operator:
+  - '@contains'
+oparg:
+  - attack
+phase:
+  - 2
+  - 3
+  - 4
+testdata:
+  phase_methods:
+    2: post
+    3: post
+    4: post
+  targets:
+    - target: ''
+      test:
+        data:
+          attack: test
+    - target: attack1
+      test:
+        data:
+          attack1: test
+    - target: attack2
+      test:
+        data:
+          attack2: test
+    - target: /^attack_.*$/
+      test:
+        data:
+          attack_foo: test
diff --git a/generated/rules/MRTS_007_ARGS_POST.conf b/generated/rules/MRTS_007_ARGS_POST.conf
@@ -0,0 +1,108 @@
+SecRule ARGS_POST "@contains attack" \
+    "id:100092,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST "@contains attack" \
+    "id:100093,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST "@contains attack" \
+    "id:100094,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:arg1 "@contains attack" \
+    "id:100095,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:arg1 "@contains attack" \
+    "id:100096,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:arg1 "@contains attack" \
+    "id:100097,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:arg1|ARGS_POST:arg2 "@contains attack" \
+    "id:100098,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:arg1|ARGS_POST:arg2 "@contains attack" \
+    "id:100099,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:arg1|ARGS_POST:arg2 "@contains attack" \
+    "id:100100,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:/^arg_.*$/ "@contains attack" \
+    "id:100101,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:/^arg_.*$/ "@contains attack" \
+    "id:100102,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST:/^arg_.*$/ "@contains attack" \
+    "id:100103,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
diff --git a/generated/rules/MRTS_008_ARGS_POST_NAMES.conf b/generated/rules/MRTS_008_ARGS_POST_NAMES.conf
@@ -0,0 +1,108 @@
+SecRule ARGS_POST_NAMES "@contains attack" \
+    "id:100104,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES "@contains attack" \
+    "id:100105,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES "@contains attack" \
+    "id:100106,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:attack1 "@contains attack" \
+    "id:100107,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:attack1 "@contains attack" \
+    "id:100108,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:attack1 "@contains attack" \
+    "id:100109,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:attack1|ARGS_POST_NAMES:attack2 "@contains attack" \
+    "id:100110,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:attack1|ARGS_POST_NAMES:attack2 "@contains attack" \
+    "id:100111,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:attack1|ARGS_POST_NAMES:attack2 "@contains attack" \
+    "id:100112,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:/^attack_.*$/ "@contains attack" \
+    "id:100113,\
+    phase:2,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:/^attack_.*$/ "@contains attack" \
+    "id:100114,\
+    phase:3,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS_POST_NAMES:/^attack_.*$/ "@contains attack" \
+    "id:100115,\
+    phase:4,\
+    deny,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
diff --git a/generated/rules/MRTS_110_XML.conf b/generated/rules/MRTS_110_XML.conf
@@ -1,5 +1,5 @@
 SecRule XML:/* "@beginsWith foo" \
-    "id:100092,\
+    "id:100116,\
     phase:2,\
     deny,\
     t:none,\
@@ -8,7 +8,7 @@ SecRule XML:/* "@beginsWith foo" \
     ver:'MRTS/0.1'"
 
 SecRule XML:/* "@beginsWith foo" \
-    "id:100093,\
+    "id:100117,\
     phase:3,\
     deny,\
     t:none,\
@@ -17,7 +17,7 @@ SecRule XML:/* "@beginsWith foo" \
     ver:'MRTS/0.1'"
 
 SecRule XML:/* "@beginsWith foo" \
-    "id:100094,\
+    "id:100118,\
     phase:4,\
     deny,\
     t:none,\