Open
Description
I propose a new operator that checks if the transformation pipeline ended up with a different result than the original parameter. One idea with this operator would be to check for (multi-)encoded payloads.
Usage example:
SecRule ARGS:comment "@checkTransform" "id:1000,deny,phase:2,t:hexDecode"
Rule 1000 rule would thus trigger, if ARGS:comment contains hex encoded stuff.
If you are OK with strings with a single hex encoding, but you want to block double-encoded payloads, then this is the recipe:
SecRule ARGS:comment "@unconditionalMatch" "id:1001,pass,phase:2,t:hexDecode,setvar:TX.comment_decoded=%{MATCHED_VAR}"
SecRule TX:comment_decoded "@checkTransform" "id:1002,deny,phase:2,t:hexDecode"
This can all be done with complicated regexes for every encoding type, I guess. But this proposed operator leverages the transformation in a very simple way.