The Open Web Application Security Project (OWASP) is a global non-profit organization focused on improving software security. As part of their efforts, OWASP has developed a set of core rules, known as the OWASP ModSecurity Core Rule Set, which aims to protect against the OWASP Top Ten, a list of the most critical web application security risks. To ensure that the rules are tailored to individual website requirements, Peakhour provides users with a range of OWASP specific settings, which can be tuned to their website's specific security needs.
The CRS rules are customizable, and the OWASP-specific settings allow developers to fine-tune the rule set to their specific needs. In this article, we'll look at the OWASP-specific settings and explore their purpose and potential use cases.
Blocking Levels#
The following blocking level settings control when an incoming request will be blocked by the CRS.
- Inbound Anomaly Level: This setting determines the anomaly score at which an incoming request will be blocked. The anomaly score is calculated by the CRS based on various criteria, such as request length, use of special characters, and other factors. A higher score means the request is more suspicious, and blocking it is more likely to prevent an attack. The default setting is 5, but it can be adjusted depending on the application's risk profile.
- Paranoia Level: The higher this setting, the more rules will be enabled in the CRS, which means more suspicious requests will be blocked. The default setting is 1, but it can be increased to improve security.
- Executing Paranoia Level: This setting controls the reporting of high anomaly scores without blocking requests. This can be useful for testing the rule set without interrupting the normal operation of the application.
- Blocking Early: If this setting is enabled, the CRS will block requests as soon as they reach the anomaly threshold, without evaluating the rest of the rules. This can be useful for high-risk applications that require fast blocking to prevent attacks.
Anomaly Scoring#
The following anomaly scoring settings control the score threshold for different levels of alerts generated by the CRS.
- Critical Anomaly Score: This setting determines the anomaly score at which a critical alert will be generated. Critical alerts indicate an imminent or ongoing attack and should be investigated immediately.
- Error Anomaly Score: This setting determines the anomaly score at which an error alert will be generated. Error alerts indicate a suspicious request, but not necessarily an attack.
- Warning Anomaly Score: This setting determines the anomaly score at which a warning alert will be generated. Warning alerts indicate a potentially suspicious request, but not necessarily an attack.
- Notice Anomaly Score: This setting determines the anomaly score at which a notice alert will be generated. Notice alerts indicate a low-risk request that may warrant further investigation.
HTTP#
The following HTTP settings control which types of requests are allowed and how they are processed.
- Allowed Content Types: This setting determines which content types are allowed in incoming requests. Some common examples include multipart/form-data, application/json, and application/x-www-form-urlencoded.
- Allowed Charsets: This setting determines which character sets are allowed in incoming requests. Common examples include utf-8 and iso-8859-1.
- Allowed HTTP Versions: This setting determines which versions of the HTTP protocol are allowed in incoming requests. Common examples include HTTP/1.1 and HTTP/2.0.
- Allowed HTTP Methods: This setting determines which HTTP methods are allowed in incoming requests. Common examples include GET, POST, and PUT.
- Enforce URL Encoded Body: This setting forces the use of URL encoded body processor for missing content-type requests, which can prevent some types of attacks.
- Validate UTF-8: This setting checks the request contents for invalid UTF-8 encoding, which can help prevent some types of attacks.
Sampling#
Request sampling percentage: This setting allows the operator to specify a percentage of requests to sample for testing the impact of changes made to the system. Request sampling is an effective way of assessing the effectiveness of a web application firewall and tuning its settings.
Extension handling#
Restricted extensions: This setting allows the operator to specify a list of file extensions that should not be allowed in requests. The aim of this setting is to prevent attackers from uploading files with malicious content to the server. Common restricted extensions include .sql, .backup, .back, and other extensions that are commonly associated with backup and database files.
Query args#
- Max query arg length: This setting specifies the maximum length of a query argument that is allowed. Setting this value to a low number can prevent attackers from exploiting buffer overflows in web applications that are vulnerable to such attacks.
- Max query arg name length: This setting specifies the maximum length of a query argument name that is allowed. Setting this value to a low number can prevent attackers from exploiting buffer overflows in web applications that are vulnerable to such attacks.
- Max number of query args: This setting specifies the maximum number of query arguments that are allowed in a request. Setting this value to a low number can prevent attackers from overloading the web server with too many query arguments and causing a denial of service (DoS) attack.
- Total arg length: This setting specifies the maximum total length of all query arguments that are allowed in a request. Setting this value to a low number can prevent attackers from overloading the web server with too much data and causing a denial of service (DoS) attack.
File handling#
- Max upload size: This setting specifies the maximum size of a file that can be uploaded to the web server. Setting this value to a low number can prevent attackers from uploading large files that could consume excessive resources on the server or carry malicious content.
- Combined file sizes: This setting specifies the maximum combined size of all files that can be uploaded to the web server. Setting this value to a low number can prevent attackers from uploading multiple files that could consume excessive resources on the server or carry malicious content.
Rule exclusion#
- WordPress: This setting allows the operator to exclude rules that are specific to WordPress from being enforced by the web application firewall. This can be useful if the web application is not based on WordPress and the rules do not apply.
- Drupal: This setting allows the operator to exclude rules that are specific to Drupal from being enforced by the web application firewall. This can be useful if the web application is not based on Drupal and the rules do not apply.
The OWASP-specific settings provide a range of controls that can be used to configure a web application firewall to meet the specific needs of an organization. By understanding the purpose of each setting and the risks they mitigate, web application administrators can effectively configure the web application firewall to defend against a range of web-based attacks.