search

corazawaf / coraza

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library
https://www.coraza.io
Apache License 2.0
2.15k stars 211 forks source link

Case sensitivity of Arguments #209

Closed syinwu closed 2 years ago

syinwu commented 2 years ago

Now, in the coraza, if we have the below rule like this:

SecRule ARGS:Test1 "123" "id:3,phase:1,log,deny"

And, if we have the below request like this:

GET /test?Test1=123 HTTP/1.1

Host: localhost:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/json

The rule will not deny this request, because coraza's rule compilation is case-insensitive. It covers Test1 in the rule into test1 and stores it in coraza. If the request parameter name is capitalized, it will cause false negatives.

So, how should we deal with this situation?

jptosso commented 2 years ago

should we handle all GET and POST arguments as lowercase?

jptosso commented 2 years ago

Are we still having this issue?

github-actions[bot] commented 2 years ago

This issue is stale because it has been open for 30 days with no activity.