search

jcchavezs / coraza-http-wasm-traefik

Apache License 2.0
35 stars 4 forks source link

Coreruleset returns 200 ok if triggered #11

Closed Karl-koder closed 4 months ago

Karl-koder commented 4 months ago

Hello, im facing some issues with the coreruleset.

When using this configuration:

directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecDefaultAction "phase:1,deny,log,status:400"
- SecDefaultAction "phase:2,deny,log,status:400"
- SecAction "id:900990,phase:1,pass,t:none,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0-dev',setvar:tx.crs_setup_version=450"
- Include @coraza.conf-recommended
- Include @owasp_crs/**.conf

When calling an endpoint with the middleware attached like this: curl -I "https://Example.com/?search=<script>alert('xss')</script>" I get a 200 ok back, but in the traefik i see these logs: 

Coraza: Warning. XSS Attack Detected via libinjection
Coraza: Warning. XSS Filter - Category 1: Script Tag Vector
Coraza: Warning. NoScript XSS InjectionChecker: HTML Injection
Coraza: Warning. Javascript method detected
Coraza: Warning. Inbound Anomaly Score Exceeded

When using custom rules i can specify that it should be denied and return a certain code. For instance:

- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

This works just fine.

How can i make the coreruleset deny as well, it passes no matter what it seems?

jcchavezs commented 4 months ago

The @.***overrides theSecRuleEngine Onas per https://github.com/corazawaf/coraza-coreruleset/blob/v4.3.0/rules/%40coraza.conf-recommended#L7 hence you are inDetectionOnly`.

José Carlos Chávez

ons. 3. juli 2024 kl. 16:03 skrev AFY @.***>:

Hello, im facing some issues with the coreruleset.

When using this configuration:

directives:

  • SecRuleEngine On
  • SecDebugLog /dev/stdout
  • SecDebugLogLevel 9
  • SecDefaultAction "phase:1,deny,log,status:400"
  • SecDefaultAction "phase:2,deny,log,status:400"
  • SecAction "id:900990,phase:1,pass,t:none,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0-dev',setvar:tx.crs_setup_version=450"
  • Include @coraza.conf-recommended
  • Include @owasp_crs/**.conf

When calling an endpoint with the middleware attached like this: curl -I "https://Example.com/?search=" I get a 200 ok back, but in the traefik i see these logs:

Coraza: Warning. XSS Attack Detected via libinjection Coraza: Warning. XSS Filter - Category 1: Script Tag Vector Coraza: Warning. NoScript XSS InjectionChecker: HTML Injection Coraza: Warning. Javascript method detected Coraza: Warning. Inbound Anomaly Score Exceeded

When using custom rules i can specify that it should be denied and return a certain code. For instance:

  • SecRule REQUEST_URI @.*** /admin" "id:101,phase:1,log,deny,status:403"

This works just fine.

How can i make the coreruleset deny as well, it passes no matter what it seems?

— Reply to this email directly, view it on GitHub https://github.com/jcchavezs/coraza-http-wasm-traefik/issues/11, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYASVXKJ6WHOK5GBPOHTZKQACRAVCNFSM6AAAAABKJU7DO2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGM4DQNZTGEYDAOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

Karl-koder commented 4 months ago

Works now that i moved the
- Include @coraza.conf-recommended on top of the - SecRuleEngine On

Thanks a lot, and really great job on the whole coraza plugin.