Dear Hiranmayi Palanki, I am not familiar with the ESAPI HTTP whitelisting, but I do know it's a helpful security layer. Combining ModSec with other defense methods makes a lot of sense with regards to security in depth etc.
The price is certainly the complexity and the additional source for false positives. So it depends on your security needs. I have sympathies for the double approach. On Fri, Mar 04, 2016 at 05:53:32PM +0000, Hiranmayi Palanki wrote: > 2. Is it overkill to enable both ESAPI HTTP whitelist validation and > ModSecurity XSS blacklist regex patterns? I do combine CRS with whitelisting at times. I include the CRS first, perform the anomaly score checking for the incoming request and if everything looks good, the whitelisting takes a closer look at every detail of the http request. > 3. Does it make sense to split some parts of the HTTP request to go > through the ESAPI canonicalize and HTTP validation rules and split some parts > of the HTTP request (e.g. query string) to traverse through ModSecurity? That sounds quite crazy and bloody complicated. I do not see the benefit, honestly. However, the craziness of the idea intrigues me. Should you manage to pull this off, would you care to share the recipe with us? > 4. Has anybody implemented both whitelist (through ESAPI HTTP > validation) and blacklist regular expression pattern matching at the same > time? If so, do you have an opinion on this combined approach? Not me, sorry. Best, Christian -- The greatest obstacle to being heroic is the doubt whether one may not be going to prove one's self a fool; the truest heroism is, to resist the doubt; and the profoundest wisdom, to know when it ought to be resisted, and when to be obeyed. -- Nathaniel Hawthorne _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
