Hello, On Fri, Mar 04, 2016 at 10:33:05PM +0000, Hiranmayi Palanki wrote: > Thank you for your response. I will indeed share the recipe, if at all this > route is pursued.
Great. We could put it into the OWASP wiki. > Based on your response, I'm deriving that sending all parts of the > HTTP request (header, cookie, query string..etc) in its entirety > through either a whitelist or a blacklist is ok. But, it does not make > sense to validate the HTTP request header, cookie, query string with a > blacklist and the HTTP scheme, uri path, context path etc. through a > whitelist. I'd say to send it all through a blacklist first _and_ through a whitelist afterwards works fine. I'm doing it for a couple of sites and it works nicely. Ahoj, Christian > > Thanks. Hiranmayi Palanki. > > -----Original Message----- From: Christian Folini > [mailto:christian.fol...@netnea.com] Sent: Friday, March 04, 2016 3:27 > PM To: Hiranmayi Palanki Cc: > owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: > [Owasp-modsecurity-core-rule-set] ESAPI HTTP request validation and > ModSecurity CRS rules for XSS > > Dear Hiranmayi Palanki, > > I am not familiar with the ESAPI HTTP whitelisting, but I do know it's > a helpful security layer. Combining ModSec with other defense methods > makes a lot of sense with regards to security in depth etc. > > The price is certainly the complexity and the additional source for > false positives. So it depends on your security needs. I have > sympathies for the double approach. > > On Fri, Mar 04, 2016 at 05:53:32PM +0000, Hiranmayi Palanki wrote: > > 2. Is it overkill to enable both ESAPI HTTP whitelist > > validation and ModSecurity XSS blacklist regex patterns? > > I do combine CRS with whitelisting at times. I include the CRS first, > perform the anomaly score checking for the incoming request and if > everything looks good, the whitelisting takes a closer look at every > detail of the http request. > > > 3. Does it make sense to split some parts of the HTTP request > > to go through the ESAPI canonicalize and HTTP validation rules and > > split some parts of the HTTP request (e.g. query string) to traverse > > through ModSecurity? > > That sounds quite crazy and bloody complicated. I do not see the > benefit, honestly. However, the craziness of the idea intrigues me. > Should you manage to pull this off, would you care to share the recipe > with us? > > > 4. Has anybody implemented both whitelist (through ESAPI HTTP > > validation) and blacklist regular expression pattern matching at the > > same time? If so, do you have an opinion on this combined approach? > > Not me, sorry. > > Best, > > Christian > > -- The greatest obstacle to being heroic is the doubt whether one may > not be going to prove one's self a fool; the truest heroism is, to > resist the doubt; and the profoundest wisdom, to know when it ought to > be resisted, and when to be obeyed. -- Nathaniel Hawthorne > > > American Express made the following annotations > ****************************************************************************** > "This message and any attachments are solely for the intended > recipient and may contain confidential or privileged information. If > you are not the intended recipient, any disclosure, copying, use, or > distribution of the information included in this message and any > attachments is prohibited. If you have received this communication in > error, please notify us by reply e-mail and immediately and > permanently delete this message and any attachments. Thank you." > > American Express a ajouté le commentaire suivant le Ce courrier et > toute pièce jointe qu'il contient sont réservés au seul destinataire > indiqué et peuvent renfermer des renseignements confidentiels et > privilégiés. Si vous n'êtes pas le destinataire prévu, toute > divulgation, duplication, utilisation ou distribution du courrier ou > de toute pièce jointe est interdite. Si vous avez reçu cette > communication par erreur, veuillez nous en aviser par courrier et > détruire immédiatement le courrier et les pièces jointes. Merci. > > ****************************************************************************** > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
