owasp-crs – Page 2 – WindowsTechs.com

OWASP CRS – Is "%00" in request form body is false positive?

Posted on July 22, 2024 by goulashsoup

We have a HTTP POST endpoint for a web form and when sending a request the request has Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryLOAPHJhA1BQSTatn set.
When the payload contains %00…
——WebKitFormBoundaryLOAPHJh… Continue reading OWASP CRS – Is "%00" in request form body is false positive?→

Modsecurity CRS access denied with response 200?

Posted on July 6, 2024 by navotera

Issue
I have try to inject XSS in an input and the log total of anomaly score is 84 (enough to block the request)
The action return Access denied but why it return 200 code and the action is allowed to be passed to the webserver.
Specifica… Continue reading Modsecurity CRS access denied with response 200?→

Why Owasp-crs does not allow Content-Type: application/x-www-form-urlencoded

Posted on June 29, 2024 by navotera

I try to craft a http post using this curl :
curl -v -X POST "http://example.com/submit.php" -H "Content-Type: application/x-www-form-urlencoded;" –data "email=test@example.com"

Unluckyly, it is got block by… Continue reading Why Owasp-crs does not allow Content-Type: application/x-www-form-urlencoded→

Cannot allow 920600 in crs

Posted on June 28, 2024 by navotera

I have these rules :
SecRule REQUEST_URI "@rx ^/(.*)$" \
"id:94000001,phase:1,t:none,nolog,pass,\
ctl:ruleRemoveById=933120,\
ctl:ruleRemoveById=933150,\
ctl:ruleRemoveById=920210,\
ctl:ruleRemoveById=931… Continue reading Cannot allow 920600 in crs→

Increasing critical_anomaly_score does not block request

Posted on June 21, 2024 by navotera

I am using CRS 4.3.0
I am modify the default crs-setup.conf to increase the anomali_score for critical triggered rules :
"id:900100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:’OWASP_CRS’,\
ver:’OWASP_CRS/4.3.0… Continue reading Increasing critical_anomaly_score does not block request→

How do I unblock a request uri in Modsecurity CRS?

Posted on June 19, 2024 by Iogui

I have installed a Nginx WAF with Modsecurity CRS. This WAF protects a backend WordPress.
One request from one of the plugins generated a false positive on the Modsecurity with the rule id 933120.
I identified it in the audit log, studied … Continue reading How do I unblock a request uri in Modsecurity CRS?→

Modsecurity only show warning but not blocking?

Posted on June 19, 2024 by navotera

I am using CRS 4.3.0
I try to test is it active :
curl ‘https://example.com/?foo=/etc/passwd&bar=/bin/sh’
curl : The remote server returned an error: (403) Forbidden.

However when using other approach by requesting this url :
curl ‘ht… Continue reading Modsecurity only show warning but not blocking?→

ModSecurity OWASP CRS 3.3.0 false positives on a WordPress site

Posted on June 20, 2021 by skinnedpanda

The following search queries are blocked by ModSecurity and returns a 403 forbidden error:
www.example.com/s=zip+someword &
www.example.com/s=gzip+someword
but not
www.example.com/s=zip & www.example.com/s=gzip
The Apache error_log… Continue reading ModSecurity OWASP CRS 3.3.0 false positives on a WordPress site→

Modsecurity CRS how to deal with field arrays

Posted on February 8, 2021 by Eddie4

I have a question how to deal with whitelisting field arrays in modsecurity. Currently am doing the following:
… ctl:ruleRemoveTargetById=942510;ARGS:_owc_pdc_faq_group[0][pdc_faq_answer]"
… ctl:ruleRemoveTargetById=942510;ARGS:_o… Continue reading Modsecurity CRS how to deal with field arrays→

OWASP CRS Anomaly scoring, ModSecurity WAF

Posted on May 4, 2020 by murad

I’m getting into OWASP CRS with ModSecurity and was investigating the way OWASP calculate the anomaly score in the REQUEST-901-INITIALIZATION.conf they set the following lines:
setvar:’tx.anomaly_score=0′,\
setvar:’tx.anomaly_score_pl1=0′,… Continue reading OWASP CRS Anomaly scoring, ModSecurity WAF→