Does ModSecurity 2.7.1 work with ASP.NET MVC 3?

I submitted a bug report for this issue and it has now been fixed in modsecurity 2.7.2. https://www.modsecurity.org/tracker/browse/MODSEC-371


So, I'm a few years late to the party, but I'm working through similar issues now and thought I'd share what I'd found.

It's not really an MVC problem. It might be an IIS problem, though something similar appears to affect NGINX (based on this: https://github.com/SpiderLabs/ModSecurity/issues/664) And it still appears to be an issue in the version of ModSecurity that gets installed via the Web Platform Installer utility and the version that's automatically available in Azure AppService, so if there's a patch available, it probably isn't widely deployed.

Based on (https://github.com/SpiderLabs/ModSecurity/issues/562), I've been setting:

SecStreamInBodyInspection On

..which allows POST bodies through, though I've not found any clear indication as to why. This is a bit unsettling because I'm also not sure what, if any, downsides there might be, but the magic seems to work.

Interestingly, the OWASP CRS rules for ModSecurity set SecRequestBodyInspection but not SecStreamInBodyInspection, which suggests to me that this bug doesn't affect all hosts, but it's definitely a trap for IIS users.

HTH