WAF rules use an XML variable (with an XPath expression) to specify XML request body fragments that must be examined.

Example:

SecRule XML:/* text_to_match "id:1,phase:2,log,deny,status:403".

If a text representation of an XML request matches text_to_match, the WAF blocks the request. XML Exceptions are also specified using the XPath expressions, for example, ‘XML:/*’.

WAF rules use XML:/* expression to enable processing of the whole XML request body. Using XPath expressions in WAF Exceptions is a powerful way to configure WAF to skip checks for the whole XML document or to selectively exclude only parts of the XML document from WAF inspection.

In a common scenario, when a CRS rule generates a false positive WAF hit, it must be sufficient to follow the steps described in the Recommended Assisted Workflow section to disable XML processing by a given rule. It is also possible for a user to manually configure an exception and specify the XPath expression to exclude parts of the document from WAF rules processing.

Example: XML request body:

<example>
<username>joe</username>
<password>!@#$%</password>
</example>

The WAF rule generates a hit:

match element: XML:/*

When following the Recommended Assisted Workflow option, the match element XML:/* is used to disable processing of the whole XML document from the rule 12345. You can also create a rule-level exception and specify the match element as XML:/example/password​ to exclude only an element responsible for a WAF hit. As a result, WAF will continue examining of the remaining parts of the XML document.