I am trying to create modsecurity rule which needs to block a request when a parameter doesn’t meet a certain regex.
Let’s take an email regex as example: (^[a-zA-Z0-9_.±]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$)
and for the parameter: email
location of the page (needs to be included in the rule): /signup.php
What I tried (but I assume is not correct at all):
SecRule FILES_NAMES|FILES “['/signup.php”;=]" ARGS:email “!@rx ^(^[a-zA-Z0-9_.±]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$)$” block
So if someone posts a get request like: “/signup.php?email=alert…” it will be blocked.
You can use following rule template for your purposes:
SecRule REQUEST_FILENAME "[at-bypass]contains /signup.php" "id:10, log, deny, status:403, msg:'your-message', chain, t:'none', t:'lowercase'" SecRule ARGS:email "![at-bypass]rx your-regular-expression" "t:'none'"
Replace data in this template to meet your requirements. Also I haven’t tested this rule, so let me know if something going wrong.