Hi all,

I am currently looking at the performance of some rules in the OWASP CRS, 
especially the block "XSS Filters form IE" 
(modsecurity_crs_41_xss_attacks.conf), and I would like to have your opinion to 
the following two proposals:

1. Remove rules with ID 973345 and 973346
The two rules 973345 and 973346 are matching html-encoding-variants of 
"vbscript:" and "javascript:". Both rules are using the transformation 
functions t:htmlEntityDecode and t:compressWhiteSpace. If I understand these 
transformation functions correctly, then they are redundant to the regular 
expression (e.g. transformation from "& #x06A;" to "j" is already done by 
t:htmlEntityDecode). If this is correct, then these rules are not needed 
because they are already covered by the block beginning with rule 981136. These 
rules are operating in the same phase and on the same targets.
Did I miss something? 

2. Rule Pre-Filtering
Most of the remaining rules (except the last 3 rules: 973316, 973325, 973319 
and of course rules from proposal 1) are beginning with one of the following 
characters: < " '
Therefore I propose to pre-filter the whole "XSS Filters from IE" rule block 
(except the last 3 rules: 973316, 973325, 973319) with a rule like:

SecRule 
REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
 "<|\"|\'" \
"phase:2,id:'10000',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'8',accuracy:'8',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,setvar:tx.pm_xss_filter_score=+%{tx.critical_anomaly_score}"
SecRule &TX:PM_XSS_FILTER_SCORE "@eq 0" 
"phase:2,id:'10001',t:none,pass,skipAfter:END_XSS_FILTER_CHECK,nolog"
...
SecMarker END_XSS_FILTER_CHECK


With these two changes I measured a noticeable performance improvement of 15 - 
25% (depending on parameter size and parameter count) in my test setup with the 
whole CRS (base rules) activated.

Feedbacks and suggestions are welcome.

Regards,
Lucas Bremgartner

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to