Closed sky9090 closed 2 years ago
Hey! Thank you for you interest in Coraza, coraza-server is an experimental project and it requires a lot of testing, so your feedback is valuable. I have updated coraza-server to the latest coraza version, could you try with the last commit? It contains many fixes.
About the body size enforcing and mimes, it is handled by coraza-waf and not coraza-server, so I will review that and keep you posted.
For case2, I changed the rule below and got the auditlog successfully
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" "id:'200000', phase:1, log, auditlog, deny, status:403, ctl:requestBodyProcessor=XML"
Thank you @jptosso @ShiMing-Q, I will recheck the test results according to your advice.
https://github.com/jptosso/coraza-waf/pull/142 this may fix the case 1 and case 4. @sky9090
Working on the fix for case 5
https://github.com/jptosso/coraza-server/pull/4, this will fix for case 5
Thanks @ShiMing-Q @jptosso , I have rechecked these five issues and they have all passed now.
Also, I found that the current default value for SecResponseBodyAccess is Off, and the version of the Coraza-waf package included in go.mod is not the latest one, I manually updated the version in my local to recheck the test.
Hi,
I did some tests on the settings in the coraza.conf-recommended file and included this file in the Coraza-Server config.yml file, but some configurations don't work. Please have a took and give me some advice.
coraza-server config.yml
Case1: set SecRequestBodyAccess to Off but it still check the request_body info and block the offend traffic
set coraza.conf-recommended file
execute curl
check audit.log
Case2: Enable XML request body parser but cannot find the log showing it working properly
set coraza.conf-recommended file
execute curl
check audit.log
Case3: Enable JSON request body parser but cannot find the log showing it working properly
set coraza.conf-recommended file
execute curl
check audit.log
Case4: The size of request_body is greater than SecRequestBodyLimit, but it still check the request_body info and block the offend traffic.
execute curl
check audit.log
Case5: Set the response_body mimeType in or not in the list of SecResponseBodyMimeType, but find the test result is the same. When the response_body mimeType in the list, the offened traffic should be blocked as reponse_body contains the info that in the web-shells-php.data file.
SecResponseBodyMimeType
set coraza.conf-recommended
execute curl (reponse MIME type application/json vs. text/plain)
check audit.log (reponse MIME type application/json vs. text/plain)