Hi all, I am currently looking at the performance of some rules in the OWASP CRS, especially the block "XSS Filters form IE" (modsecurity_crs_41_xss_attacks.conf), and I would like to have your opinion to the following two proposals:
1. Remove rules with ID 973345 and 973346
The two rules 973345 and 973346 are matching html-encoding-variants of
"vbscript:" and "javascript:". Both rules are using the transformation
functions t:htmlEntityDecode and t:compressWhiteSpace. If I understand these
transformation functions correctly, then they are redundant to the regular
expression (e.g. transformation from "& #x06A;" to "j" is already done by
t:htmlEntityDecode). If this is correct, then these rules are not needed
because they are already covered by the block beginning with rule 981136. These
rules are operating in the same phase and on the same targets.
Did I miss something?
2. Rule Pre-Filtering
Most of the remaining rules (except the last 3 rules: 973316, 973325, 973319
and of course rules from proposal 1) are beginning with one of the following
characters: < " '
Therefore I propose to pre-filter the whole "XSS Filters from IE" rule block
(except the last 3 rules: 973316, 973325, 973319) with a rule like:
SecRule
REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"<|\"|\'" \
"phase:2,id:'10000',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'8',accuracy:'8',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,setvar:tx.pm_xss_filter_score=+%{tx.critical_anomaly_score}"
SecRule &TX:PM_XSS_FILTER_SCORE "@eq 0"
"phase:2,id:'10001',t:none,pass,skipAfter:END_XSS_FILTER_CHECK,nolog"
...
SecMarker END_XSS_FILTER_CHECK
With these two changes I measured a noticeable performance improvement of 15 -
25% (depending on parameter size and parameter count) in my test setup with the
whole CRS (base rules) activated.
Feedbacks and suggestions are welcome.
Regards,
Lucas Bremgartner
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
