I am trying to create modsecurity rule which needs to block a request when a parameter doesn't meet a certain regex.
Let's take an email regex as example: (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)
and for the parameter: email
location of the page (needs to be included in the rule): /signup.php
What I tried (but I assume is not correct at all):
SecRule REQUEST_URI "@contains signup.php" "id:1,t:none,block,chain"
SecRule ARGS:email "!@rx wtvr" "t:none"
So if someone posts a get request like: "/signup.php?email=alert..." it will be blocked.
I've found a possible solution:
SecRule REQUEST_URI "@contains signup.php" "id:1,phase:2,log,deny,status:503,msg:'custom email hack detected',chain"
SecRule ARGS:email "!@rx (^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)" "t:none"