Does ModSecurity 2.7.1 work with ASP.NET MVC 3?

asp.net-mvc mod-security

I submitted a bug report for this issue and it has now been fixed in modsecurity 2.7.2. https://www.modsecurity.org/tracker/browse/MODSEC-371


So, I'm a few years late to the party, but I'm working through similar issues now and thought I'd share what I'd found.

It's not really an MVC problem. It might be an IIS problem, though something similar appears to affect NGINX (based on this: https://github.com/SpiderLabs/ModSecurity/issues/664) And it still appears to be an issue in the version of ModSecurity that gets installed via the Web Platform Installer utility and the version that's automatically available in Azure AppService, so if there's a patch available, it probably isn't widely deployed.

Based on (https://github.com/SpiderLabs/ModSecurity/issues/562), I've been setting:

SecStreamInBodyInspection On

..which allows POST bodies through, though I've not found any clear indication as to why. This is a bit unsettling because I'm also not sure what, if any, downsides there might be, but the magic seems to work.

Interestingly, the OWASP CRS rules for ModSecurity set SecRequestBodyInspection but not SecStreamInBodyInspection, which suggests to me that this bug doesn't affect all hosts, but it's definitely a trap for IIS users.

HTH

Related

Strategy for making incremental backups
Can squid cache objects from HTTPS sites?
Centos/OVH: public IP on KVM virtual machine
Interix/SUA SSH server any good?
pam_tally2 or pam_faillock account lockout with ssh
Remote Desktop Licensing mode is not configured in Windows Server2012
Sendmail wont send to same domain
Moving my website to different server changes authentication from Kerberos to NTLM
Can't install mysql 5.1 on a windows machine because the last install left artifacts
JSP / Tomcat / Apache setup overview on Fedora Core
Using Active Directory authentication with Samba on Ubuntu 9.10 server 64bit
Preventing logrotate's dateext from overwriting files