Injecting data into responses
ModSecurity allows us to inject data into the response sent back to the client if the directive SecContentInjection is set to On. This is possible because the rule engine buffers the response body and gives us the opportunity to either put data in front of the response (prepending) or append it to the end of the response. The actions to use are appropriately named prepend and append.
Content injection allows us to do some really cool things. One trivial example just to show how the technique works would be to inject JavaScript code that displays the message "Stop trying to hack our site!" whenever we detected a condition that wasn't severe enough to block the request, be where we did want to issue a warning to any would-be hackers:
SecRule ARGS:username "%""phase:1,allow,t:urlDecode,append:
The above detects when someone tries...
