You are correct and thanks for sharing.
Another option without whitelisting is to replace that generic rule with 2 rules. Example shown below if your WAF is doing something similar.
Ref: viewtopic.php?p=309351#p309351
Jim
Another option without whitelisting is to replace that generic rule with 2 rules. Example shown below if your WAF is doing something similar.
Code:
#=========================================================================# BEGIN Zimbra client says it is sending soap+xml but really it is json and this rule is parsing as xml# so work around is to check for both XML and JSON##JAD#SecRule REQBODY_ERROR "!@eq 0" \#JAD#"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"# Workaround is to have to separate rules for each type## detect content type and set tx.is_json when JSON and tx.is_xml when XMLSecRule REQUEST_HEADERS:Content-Type "application/json" "id:'100001',phase:1,t:none,pass,nolog,setvar:tx.is_json=1"SecRule REQUEST_HEADERS:Content-Type "application/xml|text/xml|application/soap+xml" "id:'100002',phase:1,t:none,pass,nolog,setvar:tx.is_xml=1"# Evaluate these rules during phase 2 (request body processing)# Chain the following 2 rules together# so If request is JSON and a parsing errorSecRule REQBODY_ERROR "!@eq 0" "id:'300001', phase:2,t:none,chain,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" SecRule TX:IS_JSON "@eq 1"# Chain the following 2 rules together# so If request is XML and a parsing errorSecRule REQBODY_ERROR "!@eq 0" "id:'300002', phase:2,t:none,chain,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" SecRule TX:IS_XML "@eq 1"# END ZimbraJim
Statistics: Posted by JDunphy — Thu Feb 22, 2024 10:36 pm