jeremyjpj0916
commented
4 years ago Update: Did remove 200000 on my test for this call to see if it removed the slowness(ModSec XML Parse rule), and it did not make things faster.
Open jeremyjpj0916 opened 4 years ago
jeremyjpj0916
commented
4 years ago Update: Did remove 200000 on my test for this call to see if it removed the slowness(ModSec XML Parse rule), and it did not make things faster.
jeremyjpj0916
commented
4 years ago Ran some more tests tonight, nothing fixed it until I straight up disabled the engine:
# Had to disable to fix the "slow processing" issue.
SecRule REQUEST_URI "@contains /ExampleService/v" \
"id:14,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleEngine=Off,\
ctl:ruleRemoveById=920273,\
ctl:ruleRemoveById=920272,\
ctl:ruleRemoveById=920260,\
ctl:ruleRemoveById=920240,\
ctl:ruleRemoveById=931110,\
ctl:ruleRemoveById=200000,\
ctl:ruleRemoveById=920470,\
ctl:ruleRemoveTargetById=941160;XML:/*"URI edited for privacy reasons here :P . But yeah unsure where the slowdown is...
Describe the bug
Seems an
application/xmlpayload that uses lots of > and < chars in the place of the actual < >'s will cause insane WAF processing time(you end up with one fairly large XML element containing all this data as string in the long running XML one.With regular < >'s keeping a full XML schema+elements the whole time: 3.7 seconds e2e on a 450kb payload for me.
With the > and < chars in the place of the actual < >'s: 40+ seconds e2e 549kb payload
Unsure currently what rule its hanging on, I suppose DEBUG mode would give us some insight on where eats the most time.
Steps to reproduce
Non-issue case HTTP Post body example:
WorkingPayload.txt
Issue case HTTP Post body example:
ShrektPayload.txt
Expected behaviour
Would have not expected WAF to hang and process on the XML body this long.
Actual behaviour
Additional context
Your Environment