From: Walter Hop <modsec@sp...> - 2013-11-21 14:23:39
Expanding my use of ModSecurity, I found several applications where I would really like to whitelist a certain request parameter completely. I am running the CRS with anomaly scoring.
It seems to me that a good way to whitelist a parameter fully, is something like this (taking a MediaWiki input box as an example):
SecRule REQUEST_FILENAME "@streq /index.php" \
Would you agree?
I hope it would catch all rules, and by executing in phase 1, run in time before blocking.
Is this notation considered future-proof? (Since some ctl: actions seem to be deprecated)
(Most web pages and blog posts seem to recommend taking the action 'setvar:tx.anomaly_score=-OFFSET', where OFFSET might be, say, 5 or 25. I think this is probably outdated advice. I really don’t want to affect the global anomaly score, as it can introduce vulnerabilities by allowing exploits in unrelated request parameters.)
Walter Hop | walter@... | PGP key: https://lifeforms.nl/pgp
Get latest updates about Open Source Projects, Conferences and News.