When ModSecurity receives request or response information, it makes a copy of this data and places it into memory. It is on this data in memory that transformation functions are applied. The raw request/response data is never altered. Transformation functions are used to transform a variable before testing it in a rule.
Note
There are no default transformation functions as there were in previous versions of ModSecurity.
The following rule will ensure that an attacker does not use mixed case in order to evade the ModSecurity rule:
SecRule ARGS:p "xp_cmdshell" "t:lowercase"
multiple transformation actions can be used in the same rule, for example
the following rule also ensures that an attacker does not use URL encoding
(%xx encoding) for evasion. Note the order of the transformation
functions, which ensures that a URL encoded letter is first decoded and
than translated to lower case.SecRule ARGS:p "xp_cmdshell" "t:urlDecode,t:lowercase"
One can use the SecDefaultAction command to ensure the translation occurs for every rule until the next. Note that transformation actions are additive, so if a rule explicitly list actions, the translation actions set by SecDefaultAction are still performed.
SecDefaultAction t:urlDecode,t:lowercase
The following transformation functions are supported:
It converts whitespace characters (32, \f, \t, \n, \r, \v, 160) to spaces (ASCII 32) and then compresses multiple consecutive space characters into one.
Decodes CSS-encoded characters, as specified at http://www.w3.org/TR/REC-CSS2/syndata.html.
This function uses only up to two bytes in the decoding process, meaning
it is useful to uncover ASCII characters (that wouldn't normally be
encoded) encoded using CSS encoding, or to counter evasion which is a
combination of a backslash and non-hexadecimal characters (e.g.
ja\vascript
is equivalent to
javascript
).
This function decode ANSI C escape sequences: \a
, \b
,
\f
, \n
, \r
,
\t
, \v
, \\
,
\?
, \'
, \"
,
\xHH
(hexadecimal), \0OOO
(octal). Invalid encodings are left in
the output.
This function decodes HTML entities present in input. The following variants are supported:
&#xHH
and &#xHH;
(where H is any hexadecimal
number)
&#DDD
and &#DDD;
(where D is any decimal
number)
"
and "
 
and
<
and <
>
and >
This function will convert any entity into a single byte only, possibly resulting in a loss of information. It is thus useful to uncover bytes that would otherwise not need to be encoded, but it cannot do anything with the characters from the range above 255.
Decodes JavaScript escape sequences. If a
\uHHHH
code is in the range of
FF01
-FF5E
(the full width ASCII
codes), then the higher byte is used to detect and adjust the lower
byte. Otherwise, only the lower byte will be used and the higher byte
zeroed.
This function calculates an MD5 hash from input. Note that the
computed hash is in a raw binary form and may need encoded into text to
be usable (for example: t:md5,t:hexEncode
).
Not an actual transformation function, but an instruction to ModSecurity to remove all transformation functions associated with the current rule.
This function will remove multiple slashes, self-references and directory back-references (except when they are at the beginning of the input).
Same as normalisePath
, but will first convert
backslash characters to forward slashes.
This function calculates even parity of 7-bit data replacing the 8th bit of each target byte with the calculated parity bit.
This function calculates odd parity of 7-bit data replacing the 8th bit of each target byte with the calculated parity bit.
This function calculates zero parity of 7-bit data replacing the 8th bit of each target byte with a zero parity bit which allows inspection of even/odd parity 7bit data as ASCII7 data.
This function replaces each occurrence of a C-style comments
(/* ... */
) with a single space
(multiple consecutive occurrences of a space will not be compressed).
Unterminated comments will too be replaced with a space (ASCII 32).
However, a standalone termination of a comment (*/
) will not be acted upon.
This function is enabled by default. It replaces NULL bytes in input with spaces (ASCII 32).
This function decodes an URL-encoded input string. Invalid
encodings (i.e. the ones that use non-hexadecimal characters, or the
ones that are at the end of string and have one or two characters
missing) will not be converted. If you want to detect invalid encodings
use the @validateUrlEncoding
operator. The transformation function should not be used against
variables that have already been URL-decoded unless it is your intention
to perform URL decoding twice!
In addition to decoding %xx
like urlDecode, urlDecodeUni
also decodes %uXXXX
encoding. If the code is in the range
of FF01
-FF5E
(the full width ASCII
codes), then the higher byte is used to detect and adjust the lower
byte. Otherwise, only the lower byte will be used and the higher byte
zeroed.
This function calculates a SHA1 hash from input. Note that the
computed hash is in a raw binary form and may need encoded to be usable
(for example: t:sha1,t:hexEncode
).