WAF rules use an XML variable (with an XPath expression) to specify XML request body fragments that must be examined.
Example:
SecRule XML:/* text_to_match "id:1,phase:2,log,deny,status:403".
If a text representation of an XML request matches text_to_match, the WAF blocks the request. XML Exceptions are also specified using the XPath expressions, for example, ‘XML:/*’.
WAF rules use XML:/* expression to enable processing of the whole XML request body. Using XPath expressions in WAF Exceptions is a powerful way to configure WAF to skip checks for the whole XML document or to selectively exclude only parts of the XML document from WAF inspection.
In a common scenario, when a CRS rule generates a false positive WAF hit, it must be sufficient to follow the steps described in the Recommended Assisted Workflow section to disable XML processing by a given rule. It is also possible for a user to manually configure an exception and specify the XPath expression to exclude parts of the document from WAF rules processing.
Example: XML request body:
<example> <username>joe</username> <password>!@#$%</password> </example>
The WAF rule generates a hit:
match element: XML:/*
When following the Recommended Assisted Workflow option, the match element XML:/* is used to disable processing of the whole XML document from the rule 12345. You can also create a rule-level exception and specify the match element as XML:/example/password to exclude only an element responsible for a WAF hit. As a result, WAF will continue examining of the remaining parts of the XML document.