Skip to main content

OWASP/CRS Request

Overview

The OWASP/CRS Request Traffic Policy action enables OWASP (Open Worldwide Application Security Project) CRS (previously Core Rule Set), a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. It aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc.

The owasp-crs-request action only enables rule detection on incoming HTTP requests to your endpoint. In addition to this action, it is also recommended to enable the OWASP/CRS Response action to analyze outgoing HTTP responses from your endpoint

Configuration Reference

This is the Traffic Policy configuration reference for this action.

Supported Phases

on_http_request

Type

owasp-crs-request

Configuration Fields

  • on_errorstringRequired

    Behavior if there is an error. Must be one of either "continue" or "halt" (default "halt")

    More information can be found in the Managing Fallback Behavior section.

  • process_bodybool

    If false, we do not process rules for the request body. Default is true

Behavior

This action evaluates rules for request headers and body (when process_body is enabled), and each matching rule adds to the overall score of a request. If the score exceeds the set score threshhold, the action will block the request.

The tallying process is called Anomaly Scoring, and is detailed on the CoreRuleSet website.

Default Directives

The default behavior of the OWASP/CRS action includes the following Coraza directives or sets of rules:

Included in these defaults is an inbound anomaly score threshold of 5 and a paranoia level of 1.

Body Processing

When process_body is enabled, bodies will be partially processed and evaluated for their first 128KB. The rest of the body will not be processed and will be ignored.

Managing Fallback Behavior (on_error)

If on_error is set to halt (default) and the action encounters an error when forwarding traffic, the Traffic Policy chain will halt and no further actions will be executed. For example, if you have a log action after the owasp-crs-request action, the log action will not be run and the error will be returned.

However, if on_error is set to continue, actions that appear after the owasp-crs-request action will still be executed even if the owasp-crs-request action encounters an error.

Examples

Enabling OWASP/CRS Request Action

The following Traffic Policy configuration will enable OWASP/CRS evaluation on HTTP requests.

It is recommended to also enable the OWASP/CRS Response action

Example Traffic Policy Document

Loading…

Example Request

Loading…
Loading…

In this example, we attempt to connect to example.ngrok.app using the curl command, and ngrok blocks the request returning back ERR_NGROK_3700

Action Result Variables

The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.

  • actions.ngrok.owasp_crs_request.decisionstring

    The action taken for this request.

    • Possible values
    • allow - If the request was permitted.
    • deny - If the request was denied.
  • actions.ngrok.owasp_crs_request.anomaly_scoreint

    The total anomaly score for the request. If it equals to or exceeds the set threshold, it will block the request.

  • actions.ngrok.owasp_crs_request.anomaly_score_thresholdint

    The total anomaly score threshold for the request. By default, it is set to 5.

  • actions.ngrok.owasp_crs_request.matched_rulesarray of objects

    The list of all rules matched by this request that have a non-zero score.

  • actions.ngrok.owasp_crs_request.error.codestring

    A machine-readable code describing an error that occurred during the action's execution.

  • actions.ngrok.owasp_crs_request.error.messagestring

    A human-readable message providing details about an error that occurred during the action's execution.