I would like to know if ModSecurity is able to perform censorhip.
For example, the response of the application is:
{"error": null, "id": "1", "result": [ { "name": "fly", "class": "insect" }, { "name": "spider", "class": "arachnid"} ] }
And we would like send the following response, without the "spider" part, to the client:
{"error": null, "id": "1", "result": [ { "name": "fly", "class": "insect" } ] }
We need this because the editor of the application is not able to perform such response with some filter in the request for example.
I cannot find any information to know if it is possible, and if so how it can be done.
So I've tried with a rule like ...
SecRule RESPONSE_BODY "@rx .*" "id:100,phase:4,exec:/usr/local/bin/change-response-body.lua,allow"
... and a change-response-body.lua script like:
#!/usr/bin/lua
function main()
local respBody = m.getvar("RESPONSE_BODY")
-- some parsing on respBody
respBody = "just a try"
m.setenv("RESPONSE_BODY", respBody)
m.setvar("RESPONSE_BODY", respBody )
return 1
end
And it does not work.
Can you tell help me on that please ?
Thanks in advance.
Spin
It is possible to do it by applying action @rsub to STREAM_OUTPUT_BODY variable. For this to work, you need to set ModSecurity directives
SecStreamOutBodyInspectionandSecContentInjectiontoOn(which may have negative impact on performance, read the docs).