I'm using ModSecurity as WAF on my Apache 2 server. Everything works so fine; just when I post bigger JSON data to a special route will the WAF reject my request since the body is too big → SecRequestBodyLimit.
I would like to restrict it to a low amount just expect for that special route. What can I use for that? I found nothing on the web so far, just examples to exclude some rules, but the request body limit isn't any rule.
This is surprisingly tricky. The standard approach is to set a wide hard limit with SecRequestBodyLimit and then a flexible lower limit that is being checked at runtime and denies large requests depending on the URI.
The problem is that the ModSec 2.9.x JSON body processor consumes the request body. The REQUEST_BODY variable is not available in phase 2. So finding out how large the entire JSON was at runtime is not easy. What you can do is checking the Content-Length HTTP request header in phase 1 and accept that as good enough.
This results in a rule set as follows:
SecRequestBodyLimit 1000
SecRule REQUEST_FILENAME "@streq /path/with/large/json" \
"id:1000,phase:1,pass,log,\
msg:'URI with large JSON request encountered. Skipping size check',\
skipAfter:AFTER_SIZE_CHECK"
SecRule REQUEST_HEADERS:Content-Length "@gt 100" \
"id:1001,phase:1,deny,log,msg:'Request too large'"
SecMarker AFTER_SIZE_CHECK
Adjust numbers to your needs and remove the log from rule 1000 after testing.
There are ways from an attacker to submit larger requests without setting the Content-Length header. I suggest you work with the OWASP ModSecurity Core Rule Set (CRS). It comes with rules to prevent that.