Whitelist format of key HTTP request headers

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

https://modsecurity.org/crs

Apache License 2.0

2.45k stars 727 forks source link

Whitelist format of key HTTP request headers #1144

Open dune73 opened 6 years ago

dune73 commented 6 years ago

We are blacklisting illegal request headers, but with Apache concatenating duplicate headers before we get a chance to count them etc. it makes sense to whitelist the format of several request headers.

Candidates:

Host
Accept
Accept-Language (benefit?)
Accept-Encoding
Cache-Control (benefit?)
Connection
Content-Type
Cookie (viable?)
If-Modified-Since (benefit?)
Range
Referer (viable?)
User-Agent (viable?)

This is meant for CRS 3.2.

Also see #1137.

ghost commented 5 years ago

Let me look into this. I've studied these headers pretty extensively. There are over 100 ones, including crazy ones that are deprecated but you see a lot in legacy apps that might use ModSecurity such as the Pragma header.

dune73 commented 5 years ago

Compared to the other issue you picked, this one is really big and complex as it touches on many different aspects of CRS. If you pick this, it will accompany you for months. By the end, you will understand the inner mechanics of CRS throughly, but you could also become overwhelmed along the way. Unsure how to advice you. Smaller bites are probably easier to swallow.

ghost commented 5 years ago

Thanks for the heads up @dune73. Glad I didn't walk into this thinking it was way easier than it actually was. Will not do for the time being.

github-actions[bot] commented 4 years ago

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

dune73 commented 4 years ago

I still plan to follow up on this.