Hi theMiddle, On Mon, Jan 18, 2016 at 10:29:42AM +0100, theMiddle wrote: > nice post! I completely agree about these following rules:
Thank you for the thumbs up. It's always nice to hear when people agree with a point in a post. > My users often disable these two rules. I think that a false > positive occurs each time these rules match a sequence of the same > char in the URL. For example /mypost/title-of-my-new-blogpost or > /verifyurl/sessionid----abcde1234. In fact it is the total number of occurrences of any combination of special characters. Which is in fact a great indicator of any type of evil intent. But it comes with a lot of false positives. > Probably this shouldn't happen with a rule that match a sequence of > differents chars in the URL (/foo/bar-john@doe(bla)). Actually, uuids in cookies i.e. b079d69c-bddb-11e5-822b-9f71f5c3a1fe will really get your WAF glowing. Cheers, Christian -- In war you will generally find that the enemy has at any time three courses of action open to him. Of those three, he will invariably choose the fourth. -- Helmuth Von Moltke _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
