Closed ErazerBrecht closed 5 months ago
Smaller reproduction This loads a minimal set of rules but still has the same problem
{
order coraza_waf first
}
:80 {
coraza_waf {
load_owasp_crs
directives `
Include /opt/coraza/config/coraza.conf
Include /opt/coraza/config/crs-setup.conf
Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf
Include /opt/coraza/config/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
`
}
}
Hi @ErazerBrecht, thanks for the report and the examples. SecRuleUpdateTargetByTag
is currently not supported, but the implementation should be quite straightforward and definitely needed. I'm planning to open a PR this week, hopefully even tomorrow.
I opened https://github.com/corazawaf/coraza/pull/1020 which should address the implementation of SecRuleUpdateTargetByTag
.
If you wish to early test it, you can point to this coraza-caddy branch: https://github.com/corazawaf/coraza-caddy/tree/updatetargetbytag, which already brings in my PR just for testing purposes. You should be able to build it with xcaddy build --with github.com/corazawaf/coraza-caddy/v2@b75ce169b56b5d65eb30f22d0fea4a1aee4252e6
.
I did a quick test as the following:
:8080 {
coraza_waf {
load_owasp_crs
directives `
Include @coraza.conf-recommended
Include @crs-setup.conf.example
SecRuleEngine On
Include @owasp_crs/REQUEST-901-INITIALIZATION.conf
Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf
SecRuleUpdateTargetByTag attack-xss "!ARGS:search"
`
}
reverse_proxy {$HTTPBIN_HOST:localhost}:8081
}
▶ curl -I localhost:8080/
HTTP/1.1 200 OK
▶ curl -I 'localhost:8080/?search=javascript\x3Ajavascript:alert(1)'
HTTP/1.1 200 OK
▶ curl -I 'localhost:8080/?search2=javascript\x3Ajavascript:alert(1)'
HTTP/1.1 403 Forbidden
Any feedback is appreciated!
@M4tteoP I'll make sure to check this out today! Already many thanks for your fast response and fix 🚀
@M4tteoP Works like a charm Thank you for your very fast fix! Greatly appreciated!
Enjoy the rest of the week! (You already made mine) Sincerely, Brecht
Description
I'm currently in the works of converting a Modsecurity (on Apache) instance to Coraza (on Caddy). Everything went rather smooth. But I'm stuck on converting an exclusion I have in
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
.I have added this line:
SecRuleUpdateTargetByTag "attack-xss" "!ARGS:search"
This should stop preventing Coraza from triggering on XSS payloads in a queryparam called 'search'.
Steps to reproduce
Here is my code: https://github.com/ErazerBrecht/coraza-poc
It's a rather plain Caddy webserver using the official Coraza Caddy module It contains a docker container you could easily run
Expected result
200 OK when going to
http://localhost:7543/?search=javascript\x3Ajavascript:alert(1)
Actual result
403 FORBIDDEN
Logs: