OWASP/CRS Response
Overview
The OWASP/CRS Response Traffic Policy action enables OWASP (Open Worldwide Application Security Project) CRS (previously Core Rule Set), a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. It aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc.
The owasp-crs-response
action only enables rule detection on outgoing HTTP responses from your
endpoint. In addition to this action, it is also recommended to enable the OWASP/CRS Request
action to analyze incoming HTTP requests to your endpoint
Configuration Reference
This is the Traffic Policy configuration reference for this action.
Supported Phases
on_http_response
Type
owasp-crs-response
Configuration Fields
on_errorstringRequired
Behavior if there is an error. Must be one of either "continue" or "halt" (default "halt")
More information can be found in the Managing Fallback Behavior section.
process_bodybool
If false, we do not process rules for the response body. Default is true
Behavior
This action evaluates rules for response headers and body (when process_body
is enabled), and each matching rule adds to the overall score of a response. If
the score exceeds the set score threshhold, the action will block the response.
The tallying process is called Anomaly Scoring, and is detailed on the CoreRuleSet website.
Default Directives
The default behavior of the OWASP/CRS action includes the following Coraza directives or sets of rules:
- coraza.conf-recommended
- crs-setup.conf.example
- @owasp_crs/*.conf
- SecRuleEngine On
- SecRequestBodyInMemoryLimit 131072
- SecRequestBodyLimit 131072
- SecRequestBodyLimitAction ProcessPartial
- SecResponseBodyLimit 131072
Included in these defaults is an outbound anomaly score threshold of 4 and a paranoia level of 1.
Body Processing
When process_body
is enabled, bodies will be partially processed and evaluated for their first 128KB.
The rest of the body will not be processed and will be ignored.
Managing Fallback Behavior (on_error
)
If on_error
is set to halt
(default) and the action encounters an error when forwarding traffic, the Traffic Policy chain will halt and no further actions will be executed. For example, if you have a log
action after the owasp-crs-response
action, the log
action will not be run and the error will be returned.
However, if on_error
is set to continue
, actions that appear after the owasp-crs-response
action will still be executed even if the owasp-crs-response
action encounters an error.
Examples
Enabling OWASP/CRS Response Action
The following Traffic Policy configuration will enable OWASP/CRS evaluation on HTTP responses.
It is recommended to also enable the OWASP/CRS Request action
Example Traffic Policy Document
Loading…
Example Blocked Response:
Loading…
A text/plain
response of the above format will result in the WAF blocking the response due to potential security leaks i.e. SQL Injection vulnerabilities.
Action Result Variables
The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.
actions.ngrok.owasp_crs_response.decisionstring
The action taken for this response.
- Possible values
allow
- If the response was permitted.deny
- If the response was denied.
actions.ngrok.owasp_crs_response.anomaly_scoreint
The total anomaly score for the response. If it equals to or exceeds the set threshold, it will block the response.
actions.ngrok.owasp_crs_response.anomaly_score_thresholdint
The total anomaly score threshold for the response. By default, it is set to 5.
actions.ngrok.owasp_crs_response.matched_rulesarray of objects
The list of all rules matched by this response that have a non-zero score.
actions.ngrok.owasp_crs_response.error.codestring
A machine-readable code describing an error that occurred during the action's execution.
actions.ngrok.owasp_crs_response.error.messagestring
A human-readable message providing details about an error that occurred during the action's execution.