Hello Christian, Thank you for your response. I will indeed share the recipe, if at all this route is pursued.
The ESAPI HTTP white list validation is an open source library from OWASP. It provides white list input validation and output encoding amongst many of its features. The challenge is that developers are hesitant to remove this OWASP ESAPI library, given that it is offering white list HTTP request input validation. I'm interested in plugging-in ModSecurity XSS rules, and therefore the combined approach is coming into play. Based on your response, I'm deriving that sending all parts of the HTTP request (header, cookie, query string..etc) in its entirety through either a whitelist or a blacklist is ok. But, it does not make sense to validate the HTTP request header, cookie, query string with a blacklist and the HTTP scheme, uri path, context path etc. through a whitelist. Thanks. Hiranmayi Palanki. -----Original Message----- From: Christian Folini [mailto:christian.fol...@netnea.com] Sent: Friday, March 04, 2016 3:27 PM To: Hiranmayi Palanki Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] ESAPI HTTP request validation and ModSecurity CRS rules for XSS Dear Hiranmayi Palanki, I am not familiar with the ESAPI HTTP whitelisting, but I do know it's a helpful security layer. Combining ModSec with other defense methods makes a lot of sense with regards to security in depth etc. The price is certainly the complexity and the additional source for false positives. So it depends on your security needs. I have sympathies for the double approach. On Fri, Mar 04, 2016 at 05:53:32PM +0000, Hiranmayi Palanki wrote: > 2. Is it overkill to enable both ESAPI HTTP whitelist validation and > ModSecurity XSS blacklist regex patterns? I do combine CRS with whitelisting at times. I include the CRS first, perform the anomaly score checking for the incoming request and if everything looks good, the whitelisting takes a closer look at every detail of the http request. > 3. Does it make sense to split some parts of the HTTP request to go > through the ESAPI canonicalize and HTTP validation rules and split some parts > of the HTTP request (e.g. query string) to traverse through ModSecurity? That sounds quite crazy and bloody complicated. I do not see the benefit, honestly. However, the craziness of the idea intrigues me. Should you manage to pull this off, would you care to share the recipe with us? > 4. Has anybody implemented both whitelist (through ESAPI HTTP > validation) and blacklist regular expression pattern matching at the same > time? If so, do you have an opinion on this combined approach? Not me, sorry. Best, Christian -- The greatest obstacle to being heroic is the doubt whether one may not be going to prove one's self a fool; the truest heroism is, to resist the doubt; and the profoundest wisdom, to know when it ought to be resisted, and when to be obeyed. -- Nathaniel Hawthorne American Express made the following annotations ****************************************************************************** "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you." American Express a ajouté le commentaire suivant le Ce courrier et toute pièce jointe qu'il contient sont réservés au seul destinataire indiqué et peuvent renfermer des renseignements confidentiels et privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, duplication, utilisation ou distribution du courrier ou de toute pièce jointe est interdite. Si vous avez reçu cette communication par erreur, veuillez nous en aviser par courrier et détruire immédiatement le courrier et les pièces jointes. Merci. ****************************************************************************** _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
