kys8

conf/modsecurity.conf

@@ -1,6 +1,6 @@
 SecRuleEngine On
 SecRequestBodyAccess On
-SecResponseBodyAccess Off
+SecResponseBodyAccess On
 SecDebugLog /var/log/modsecurity/debug.log
 SecDebugLogLevel 0
 SecAuditLogParts ABIJ
@@ -20,11 +20,11 @@ SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
     "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"
 
 # path traversal
-SecRule ARGS "(\./|\.\./)|ftp|metrics|api-docs" \
+SecRule ARGS "\%00|\%2500|(\./|\.\./)|ftp|metrics|api-docs" \
     "id:950007,phase:2,deny,status:403,msg:'Path Traversal Attempt',log"
 
 # exposed stuff
-SecRule REQUEST_URI "ftp|metrics|api-docs" \
+SecRule REQUEST_URI "\%00|\%2500|ftp|metrics|api-docs" \
     "id:950008,phase:2,deny,status:500,msg:'Attempt to access ftp, metrics, api-docs',log"
 
 # rate limiting on login endpoint