When ModSecurity receives request or response information, it makes a copy of this data and places it into memory. It is on this data in memory that transformation functions are applied. The raw request/response data is never altered. Transformation functions are used to transform a variable before testing it in a rule.
The default transformation function setting is - lowercase, replaceNulls and compressWhitespace (in this order).
The following rule will ensure that an attacker does not use mixed case in order to evade the ModSecurity rule:
SecRule ARG:p "xp_cmdshell" "t:lowercase"multiple tranformation actions can be used in the same rule, for example the following rule also ensures that an attacker does not use URL encoding (%xx encoding) for evasion. Note the order of the transformation functions, which ensures that a URL encoded letter is first decoded and than translated to lower case.
SecRule ARG:p "xp_cmdshell" "t:urlDecode,t:lowercase"
One can use the SetDefaultAction command to ensure the translation occurs for every rule until the next. Note that translation actions are additive, so if a rule explicitly list actions, the translation actions set by SetDefaultAction are still performed.
The following transformation functions are supported:
This function is enabled by default. It converts whitespace characters (32, \f, \t, \n, \r, \v, 160) to spaces (ASCII 32) and then compresses multiple space characters into only one.
This function decode ANSI C escape sequences:
\0OOO (octal). Invalid encodings are left in
This function decodes HTML entities present in input. The following variants are supported:
&#xHH; (where H is any hexadecimal
&#DDD; (where D is any decimal
This function is enabled by default. It converts all charactes to lowercase using the current C locale.
This not an actual transformation function but an instruction to ModSecurity to remove all transformation functions associated with the current rule and start from scratch.
This function will remove multiple slashes, self-references and directory back-references (except when they are at the beginning of the path).
Same as normalisePath, but will first convert backslash characters to forward slashes.
This function replaces each occurence of a C-style comments
/* ... */) with a single space
(multiple consecutive occurences of a space will not be compressed).
Unterminated comments will too be replaced with a space (ASCII 32).
However, a standalone termination of a comment (
*/) will not be acted upon.
This function is enabled by default. It replaces NULL bytes in input with spaces (ASCII 32).
This function decodes an URL-encoded input string. Invalid
encodings (i.e. the ones that use non-hexadecimal characters, or the
ones that are at the end of string and have one or two characters
missing) will not be converted. If you want to detect invalid encodings
operator. The transformational function should not be used against
variables that have already been URL-decoded unless it is your intention
to perform URL decoding twice!
In addition to decoding %xx like
urlDecode, urlDecodeUni also decodes
%uXXXX encoding. If the code is in the range
of FF01-FF5E (the full width ASCII codes), then the higher byte is used
to detect and adjust the lower byte. Otherwise, only the lower byte will
be used and the higher byte zeroed.