Walter, On Sat, Feb 06, 2016 at 08:42:26PM +0100, Walter Hop wrote: > To talk about my opinion of with this rule a bit, it’s super easy to trigger > it. > Just any text input for a URL will do. > For example: http://example/?url=https://yahoo.com/
Just to make sure we are on the same boat: This rule triggers on any argument containing a URI which does not start with a FQDN identical with the host-header of the request. Am I right? > That is super common and bound to give various false positives on > registration forms, contact forms, blog comment forms, etcetera. Firing on > any plain URL submitted in a form? That’s a prime example of being paranoid :) I can not really tell, why I hardly see any FP with this. But ok. I agree with you, this is paranoid. > My recommendation would be: > 1) Put the full rule in paranoid set Agree with that. > 2) In the basic set, clone this rule, but ensure it doesn’t work on ARGS:url I understand your reasoning. But is not that too much fiddling? Or is ARGS:url that common? I have the same functionality on ARGS:target ARGS:remote ARGS:back ... Can't we leave that sort of tuning to the sysadmins? Why don't we simply move the rule from standard to paranoia mode as it has too many false positives. > 3) In the basic set, possibly consider raising the anomaly score if it’s sent > as ARGS:id, ARGS:page It is already critical. Cheers, Christian -- The need for mystery is greater than the need for an answer. --- Ken Kesey _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
