I've been searching for a while for something that can act as a proxy that I can feed it XSDs to validate xml content within the request body of HTTP traffic.
Does anyone know if such a thing exists on Windows or Linux? I checked out ModSecurity but I am bit lost on it - I believe SecRule XML maybe able to do it but I can't find how I would go about checking the xml against multiple xsd files to see if it passed any particular one?
validateSchema
Description: This operator requires the request body to be processed as XML.
Example:
SecDefaultAction log,deny,status:403,phase:2
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \
phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML
SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skip:1
SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd"
This operator requires request body to be processed as XML.
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#validateSchema
I am thinking there is some way of creating Chained rule evaluation and it allows messages through IF any of the rules are met but denies the message through when none are met.
Thank you!
XML / XSD checking in ModSecurity works, but it's not used by a lot of people (unlike the core functionality of ModSec), so I would not be surprised if you found rough edges. So use with caution and think about alternatives (-> mod_lua, use XML library, etc.).
What stops you from checking them
SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd" "phase:2,id:1,log,deny"
SecRule XML "@validateSchema /path/to/apache2/conf/xml2.xsd" "phase:2,id:2,log,deny"
If done this way, you can also branch and skip rules depending on the context. Like Header-X, then pass via id:1, if Header-Not-X, then pass via id:2.
If you lack the ModSecurity knowledge to pull this off, then you might want to buy the ModSec Handbook or look at the tutorials at https://netnea.com.