Transformation functions are used to transform a variable before testing it in a rule. The following rule will ensure that an attacker does not use mixed case in order to evade the ModSecurity rule:
SecRule ARG:p "xp_cmdshell" "t:lowercase"multipe tranformation actions can be used in the same rule, for example the following rule also ensures that an attacker does not use URL encodign (%xx encoding) for evasion. Not the order of the transformation functions, which ensures that a URL encoded letter is first decoded and than translated to lower case.
SecRule ARG:p "xp_cmdshell" "t:urlDecode,t:lowercase"
One can use the SetDefaultAction command to ensure the translation occurs for every rule until the next. Note that translation actions are additive, so if a rule explicitly list actions, the translation actions set by SetDefaultAction are still performed.
The following transformation functions are supported:
lowercase (enabled by default) - converts all
charactes to lowercase using the current C locale.
replaceNulls (enabled by default) - replaces
NULL bytes in input with spaces (32).
removeNulls - removes NULL bytes from
compressWhitespace (enabled by default) -
converts whitespace characters (32, \f, \t, \n, \r, \v, 160) to spaces
(32) and then compresses multiple space characters into only
removeWhitespace - removes all whitespace
replaceComments - replaces each occurence of
a C-style comments (
/* ... */) with a single space
(multiple consecutive occurences of a space will not be compressed).
Unterminated comments will too be replaced with a space. However, a
standalone termination of a comment (
*/) will not
be acted upon.
urlDecode - decodes an URL-encoded input
string. Invalid encodings (i.e. the ones that use non-hexadecimal
characters, or the ones that are at the end of string and have one or
two characters missing) will not be converted. If you want to detect
invalid encodings use the
operator. The transformational function should not be used against
variables that have already been URL-decoded unless it is your
intention to perform URL decoding twice!
urlEncode - encodes input using URL
urlDecodeUni - In addition to decoding %xx
urlDecode, urlDecodeUni also decodes
%uXXXX encoding (only the lower byte will be used,
the higher byte will be discarded).
base64Encode - encodes input string using
base64Decode - decoes a base64-encoded
md5 - calculates an MD5 hash from
sha1 - calculates a SHA1 hash from
hexDecode - decodes a hex-encoded
hexEncode - encodes input as hex-encoded
htmlEntityDecode - decodes HTML entities
present in input. The following variants are supported:
&#xHH; (where H is any hexadecimal
&#DDD; (where D is any decimal
escapeSeqDecode - decode ANSI C escape
(octal). Invalid encodings are left in the output.
normalisePath - will remove multiple slashes,
self-references and directory back-references (except when they are at
the beginning of the path).
normalisePathWin - as above, but will first
convert backslash characters to forward slashes.
none - this not an actual transformation
function but an instruction to ModSecurity to remove all
transformation functions associated with the current rule and start