Skip to main content

OWASP CRS Response

Overview

The OWASP CRS Response Traffic Policy action enables OWASP (Open Worldwide Application Security Project) CRS (previously Core Rule Set), a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. It aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc.

The owasp-crs-response action only enables rule processing on outgoing HTTP responses from your endpoint. In addition to this action, we also recommend you enable the OWASP CRS Request action to analyze incoming HTTP requests to your endpoint.

Configuration Reference

This is the Traffic Policy configuration reference for this action.

Supported Phases

on_http_response

Type

owasp-crs-response

Configuration Fields

  • on_errorstringRequired

    Behavior if there is an error. Must be one of either "continue" or "halt" (default "halt")

    More information can be found in the Managing Fallback Behavior section.

  • process_bodybool

    If false, we do not process rules for the response body. Default is false.

Behavior

This action evaluates rules for response headers and body (when process_body is enabled), and each matching rule adds to the overall score of a response. If the score exceeds the set score threshold, the action will block the response.

The tallying process is called Anomaly Scoring, and is detailed on the CRS website.

Default Behavior

The default behavior for this action is based on the following Coraza directives and rules from v4.14.0 of the CRS:

Included in these rules is an outbound anomaly score threshold of 4 and a paranoia level of 1.

Body Processing

When process_body is enabled, bodies will be partially processed and evaluated for their first 128KiB. The rest of the body will not be processed and will be ignored.

Managing Fallback Behavior (on_error)

If on_error is set to halt (default) and the action encounters an error when forwarding traffic, the Traffic Policy chain will halt and no further actions will be executed. For example, if you have a log action after the owasp-crs-response action, the log action will not be run and the error will be returned.

However, if on_error is set to continue, actions that appear after the owasp-crs-response action will still be executed even if the owasp-crs-response action encounters an error.

Outbound Anomaly Score Threshold Exceeded

If the anomaly score accumulated from matching rules exceeds the threshold, ngrok blocks the request with a HTTP 403 response. The response from your upstream does not make it to the client.

Failure to process the body correctly

If ngrok is unable to read the response body correctly, ngrok blocks the response with a HTTP 500 response. The response from your upstream does not make it to the client.

Examples

Running in block mode

The following configuration demonstrates how to run the owasp-crs-response action in block mode.

Example Traffic Policy Document

Loading…

Running in test mode

The following configuration demonstrates how to run the owasp-crs-response action in test mode where rules are evaluated but blocks are not enforced.

Example Traffic Policy Document

Loading…

Example response from your upstream that ngrok would block

A text/plain response like the following will result in ngrok blocking the response due to potential security leaks i.e. SQL Injection vulnerabilities.

Loading…

Action Result Variables

The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.

  • actions.ngrok.owasp_crs_response.decisionstring

    The action taken for this response.

    • Possible values
    • allow - If the response was permitted.
    • deny - If the response was denied.
  • actions.ngrok.owasp_crs_response.anomaly_scoreint

    The total anomaly score for the response. If it equals to or exceeds the set threshold, it will block the response.

  • actions.ngrok.owasp_crs_response.anomaly_score_thresholdint

    The total anomaly score threshold for the response. By default, it is set to 4.

  • actions.ngrok.owasp_crs_response.matched_rulesarray of objects

    The list of all rules matched by this response that have a non-zero score.

  • actions.ngrok.owasp_crs_response.error.codestring

    A machine-readable code describing an error that occurred during the action's execution.

  • actions.ngrok.owasp_crs_response.error.messagestring

    A human-readable message providing details about an error that occurred during the action's execution.