diff --git a/404.html b/404.html index 153cecc..df63eb5 100644 --- a/404.html +++ b/404.html @@ -2,4 +2,4 @@

Page not found :(

The page you are looking for doesn't exist or has been moved.

\ No newline at end of file +

Page not found :(

The page you are looking for doesn't exist or has been moved.

\ No newline at end of file diff --git a/connectors/caddy/index.html b/connectors/caddy/index.html index 4c99bd8..6970816 100644 --- a/connectors/caddy/index.html +++ b/connectors/caddy/index.html @@ -3,4 +3,4 @@

OWASP Coraza

Caddy

-Edit this page on
← HAProxy Coraza SPOA
\ No newline at end of file +Edit this page on
← HAProxy Coraza SPOA
\ No newline at end of file diff --git a/connectors/coraza-spoa/index.html b/connectors/coraza-spoa/index.html index 21ae812..e48f0a6 100644 --- a/connectors/coraza-spoa/index.html +++ b/connectors/coraza-spoa/index.html @@ -113,4 +113,4 @@ listed in the include section:

Once the coraza-spoa daemon is running you can begin with the Coraza Engine and Coreruleset configuration.

HELP

If you need help & support you could check the #coraza channel in the OWASP Slack: https://owasp.org/slack/invite

-Edit this page on
Caddy →
\ No newline at end of file +Edit this page on
Caddy →
\ No newline at end of file diff --git a/connectors/index.html b/connectors/index.html index 5c222cb..754fd02 100644 --- a/connectors/index.html +++ b/connectors/index.html @@ -6,4 +6,4 @@ Repo: https://github.com/corazawaf/coraza-spoa - Compatibility:

Caddy

Author: - Repo: - -Compatibility:

\ No newline at end of file +Compatibility:

\ No newline at end of file diff --git a/contributors/felipe-zipitria/index.html b/contributors/felipe-zipitria/index.html index 1c88d00..da9f162 100644 --- a/contributors/felipe-zipitria/index.html +++ b/contributors/felipe-zipitria/index.html @@ -2,4 +2,4 @@

Felipe Zipitria

You can find me fzipi @ github!

\ No newline at end of file +

Felipe Zipitria

You can find me fzipi @ github!

\ No newline at end of file diff --git a/contributors/index.html b/contributors/index.html index b619405..16e0550 100644 --- a/contributors/index.html +++ b/contributors/index.html @@ -2,4 +2,4 @@
\ No newline at end of file +
\ No newline at end of file diff --git a/contributors/juan-pablo-tosso/index.html b/contributors/juan-pablo-tosso/index.html index 393808c..714f4be 100644 --- a/contributors/juan-pablo-tosso/index.html +++ b/contributors/juan-pablo-tosso/index.html @@ -4,4 +4,4 @@

Juan Pablo Tosso

Hi, I'm Juan Pablo Tosso, OWASP #Coraza project co-leader - Research Engineer at @traceableai, Proud Father and Open-Source Developer.

\ No newline at end of file +Juan Pablo Tosso twitter
\ No newline at end of file diff --git a/docs/index.html b/docs/index.html index c18cbe7..da9159c 100644 --- a/docs/index.html +++ b/docs/index.html @@ -2,4 +2,4 @@
\ No newline at end of file +
\ No newline at end of file diff --git a/docs/reference/benchmarks/index.html b/docs/reference/benchmarks/index.html index a20a201..6c202d9 100644 --- a/docs/reference/benchmarks/index.html +++ b/docs/reference/benchmarks/index.html @@ -12,4 +12,4 @@ go test -bench=. ./...

Using Docker 

docker run jptosso/coraza-benchmark:latest
-Edit this page on
← Upgrade to v3 🆕
Body Processing →
\ No newline at end of file +Edit this page on
← Upgrade to v3 🆕
Body Processing →
\ No newline at end of file diff --git a/docs/reference/body-processing/index.html b/docs/reference/body-processing/index.html index 19e0f8e..e6c7e7c 100644 --- a/docs/reference/body-processing/index.html +++ b/docs/reference/body-processing/index.html @@ -11,4 +11,4 @@ ExpandCollapse

Body Processing

BodyBuffer

BodyBuffer is used to effectively handle large bodies. Coraza has to buffer the body in order to make reliable blocking possible. Future versions might implement a more efficient solution.

BodyBuffer.Reader is a io.Reader that reads from either a memory buffer or a file. Using files is disabled for tinygo.

Important: Copying a Reader to BodyBuffer will most likely flush the original reader. In most cases you will have to keep two copies of the reader, one for coraza, and one for your application. You can simply replace your reader pointer with the BodyBuffer reader pointer.

Body Processors

Body processors are designed to handle requests and responses in the same context. Most processors can handle either a request or a response, but there are cases of body processors like JSON, that can handle request and response in different context. Request-Response correlation is the responsibility of the processor, and the current use-case is GraphQL.

Body ProcessorRequestResponseCorrelationTinygo support
URLEncodedYesNoNoYes
XML (Partial Support)YesYesNoNo
MultipartYesNoNoYes
JSONYesYesNoYes
GraphQLTBDTBDYesTBD
-Edit this page on
← Benchmarks
Extending →
\ No newline at end of file +Edit this page on
← Benchmarks
Extending →
\ No newline at end of file diff --git a/docs/reference/extending/index.html b/docs/reference/extending/index.html index 6a828ca..12e0769 100644 --- a/docs/reference/extending/index.html +++ b/docs/reference/extending/index.html @@ -137,4 +137,4 @@ type: action|operator|transformation description: Will match if the number is even
-Edit this page on
← Body Processing
\ No newline at end of file +Edit this page on
← Body Processing
\ No newline at end of file diff --git a/docs/reference/index.html b/docs/reference/index.html index fb92bc7..b5ca5d8 100644 --- a/docs/reference/index.html +++ b/docs/reference/index.html @@ -2,4 +2,4 @@
\ No newline at end of file +
\ No newline at end of file diff --git a/docs/reference/internals/index.html b/docs/reference/internals/index.html index 0739abf..a64274c 100644 --- a/docs/reference/internals/index.html +++ b/docs/reference/internals/index.html @@ -22,4 +22,4 @@ ] }

Some helpers may be used for this cases, like tx.GetCollection(variables.RequestHeaders).GetFirstString("").

Variables are compiled in runtime in order to support Regex(precompiled) and XML, the function tx.GetField(variable). Using RuleVariable.Exceptions and []exceptions might seem redundant but both are different, the list of exception is complemented from the rule. In case of Regex, GetField will use RuleVariable.Regex to match data instead of RuleVariable.Key.

Note: Collections are not concurrent-safe, don’t share transactions between routines.

Phases

Phases are used by RuleGroup to filter between execution phases on HTTP/1.1 and HTTP/1.0.

Phase 1: Request Headers

This phase process theorically consists in three phases:

Phase 2: Request Body

This phase only runs when RequestBodyAcces is On, otherwise we will skip to phase 3. This phase will do one of the following:

See Body Handling for more info.

Phase 3: Response Headers

Phase 4: Response Body

Phase 5: Logging

This is a special phase, it will always run but it must be handled by the client. For example, if there is any error reported by Coraza, the client must at least implement a defer tx.ProcessLogging(). This phase will close handlers, save persistent collections and write audit loggers, in order to write the audit loggers the following conditions must be met:

Body handling

BodyBuffer is a struct that will manage the request or response buffer and store the data to temprary files if required. BodyBuffer will apply a few rules to decide whether to buffer the data in memory or write a temporary file, it will also return a Reader to the memory buffer or the temporary file created. Temporary files must be deleted by tx.ProccessLoging.

Persistent Collections

Not working yet.

The tx.ProcessRequest(req) helper

-Edit this page on
← OWASP Core Ruleset
Using Plugins →
\ No newline at end of file +Edit this page on
← OWASP Core Ruleset
Using Plugins →
\ No newline at end of file diff --git a/docs/seclang/actions/index.html b/docs/seclang/actions/index.html index 4071fd0..a841e60 100644 --- a/docs/seclang/actions/index.html +++ b/docs/seclang/actions/index.html @@ -16,7 +16,7 @@ setvar:tx.xss_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" -

allow

Description: Stops rule processing on a successful match and allows the transaction to proceed.

Action Group: Disruptive

Example:

# Allow unrestricted access from 192.168.1.100 
+

allow

Description: Stops rule processing on a successful match and allows the transaction to proceed.

Action Group: Disruptive

Example:

# Allow unrestricted access from 192.168.1.100
 SecRule REMOTE_ADDR "^192\.168\.1\.100$" phase:1,id:95,nolog,allow

Prior to Coraza 2.5 the allow action would only affect the current phase. An allow in phase 1 would skip processing the remaining rules in phase 1 but the rules from phase 2 would execute. Starting with v2.5.0 allow was enhanced to allow for fine-grained control of what is done. The following rules now apply:

If used on its own, like in the example above, allow will affect the entire transaction, stopping processing of the current phase, but also skipping over all other phases apart from the logging phase. (The logging phase is special; it is designed to always execute.) If used with parameter “phase”, allow will cause the engine to stop processing the current phase. Other phases will continue as normal. @@ -32,32 +32,32 @@ SecAction phase:3,allow,id:98

append

Description: Appends text given as parameter to the end of response body. Content injection must be enabled (using the SecContentInjection directive). No content type checks are made, which means that before using any of the content injection actions, you must check whether the content type of the response is adequate for injection.

Action Group: Non-disruptive

Processing Phases: 3 and 4.

Example:

SecRule RESPONSE_CONTENT_TYPE "^text/html" "nolog,id:99,pass,append:'<hr>Footer'"

Warning : Although macro expansion is allowed in the additional content, you are strongly cautioned against inserting user-defined data fields into output. Doing so would create a cross-site scripting vulnerability.

auditlog

Description: Marks the transaction for logging in the audit log.

Action Group: Non-disruptive

Example:

SecRule REMOTE_ADDR "^192\.168\.1\.100$" "auditlog,phase:1,id:100,allow"
-

Note : The auditlog action is now explicit if log is already specified.

block

Description: Performs the disruptive action defined by the previous SecDefaultAction.

Action Group: Disruptive

This action is essentially a placeholder that is intended to be used by rule writers to request a blocking action, but without specifying how the blocking is to be done. The idea is that such decisions are best left to rule users, as well as to allow users, to override blocking if they so desire. In future versions of Coraza, more control and functionality will be added to define “how” to block.

Examples:

# Specify how blocking is to be done 
+

Note : The auditlog action is now explicit if log is already specified.

block

Description: Performs the disruptive action defined by the previous SecDefaultAction.

Action Group: Disruptive

This action is essentially a placeholder that is intended to be used by rule writers to request a blocking action, but without specifying how the blocking is to be done. The idea is that such decisions are best left to rule users, as well as to allow users, to override blocking if they so desire. In future versions of Coraza, more control and functionality will be added to define “how” to block.

Examples:

# Specify how blocking is to be done
 SecDefaultAction "phase:2,deny,id:101,status:403,log,auditlog"
 
-# Detect attacks where we want to block 
+# Detect attacks where we want to block
 SecRule ARGS "@rx attack1" "phase:2,block,id:102"
 
-# Detect attacks where we want only to warn 
+# Detect attacks where we want only to warn
 SecRule ARGS "@rx attack2" "phase:2,pass,id:103"
-

It is possible to use the SecRuleUpdateActionById directive to override how a rule handles blocking. This is useful in three cases:

  1. If a rule has blocking hard-coded, and you want it to use the policy you determine
  2. If a rule was written to block, but you want it to only warn
  3. If a rule was written to only warn, but you want it to block

The following example demonstrates the first case, in which the hard-coded block is removed in favor of the user-controllable block:

# Specify how blocking is to be done 
+

It is possible to use the SecRuleUpdateActionById directive to override how a rule handles blocking. This is useful in three cases:

  1. If a rule has blocking hard-coded, and you want it to use the policy you determine
  2. If a rule was written to block, but you want it to only warn
  3. If a rule was written to only warn, but you want it to block

The following example demonstrates the first case, in which the hard-coded block is removed in favor of the user-controllable block:

# Specify how blocking is to be done
 SecDefaultAction "phase:2,deny,status:403,log,auditlog,id:104"
 
-# Detect attacks and block 
+# Detect attacks and block
 SecRule ARGS "@rx attack1" "phase:2,id:1,deny"
 
-# Change how rule ID 1 blocks 
+# Change how rule ID 1 blocks
 SecRuleUpdateActionById 1 "block"

capture

Description: When used together with the regular expression operator @rx, the capture action creates a copy of the regular expression captures and places them into the transaction variable collection.

Action Group: Non-disruptive

Example:

SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,capture,t:none,chain,id:105
   SecRule TX:1 "(?:(?:a(dmin|nonymous)))"
-

Up to 10 captures will be copied on a successful pattern match, each with a name consisting of a digit from 0 to 9. The TX.0 variable always contains the entire area that the regular expression matched. All the other variables contain the captured values, in the order in which the capturing parentheses appear in the regular expression.

**This action is being forced by now, it might be reused in the future)

chain

Description: Chains the current rule with the rule that immediately follows it, creating a rule chain. Chained rules allow for more complex processing logic.

Action Group: Flow

Example:

# Refuse to accept POST requests that do not contain a Content-Length header. 
+

Up to 10 captures will be copied on a successful pattern match, each with a name consisting of a digit from 0 to 9. The TX.0 variable always contains the entire area that the regular expression matched. All the other variables contain the captured values, in the order in which the capturing parentheses appear in the regular expression.

**This action is being forced by now, it might be reused in the future)

chain

Description: Chains the current rule with the rule that immediately follows it, creating a rule chain. Chained rules allow for more complex processing logic.

Action Group: Flow

Example:

# Refuse to accept POST requests that do not contain a Content-Length header.
 #
 # Note: this rule should be preceded by a rule that verifies only valid
 # request methods are used.
 SecRule REQUEST_METHOD "^POST$" "phase:1,chain,t:none,id:105"
   SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none"

Note : Rule chains allow you to simulate logical AND. The disruptive actions specified in the first portion of the chained rule will be triggered only if all of the variable checks return positive hits. If any one aspect of a chained rule comes back negative, then the entire rule chain will fail to match. Also note that disruptive actions, execution phases, metadata actions (id, rev, msg, tag, severity, logdata), skip, and skipAfter actions can be specified only by the chain starter rule. -The following directives can be used in rule chains:

Special rules control the usage of actions in chained rules:

ctl

Description: Changes Coraza configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

Action Group: Non-disruptive

Example:

# Parse requests with Content-Type "text/xml" as XML 
+The following directives can be used in rule chains:
Special rules control the usage of actions in chained rules:
ctl 
Description: Changes Coraza configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.
Action Group: Non-disruptive
Example:
# Parse requests with Content-Type "text/xml" as XML
 SecRule REQUEST_CONTENT_TYPE ^text/xml "nolog,pass,id:106,ctl:requestBodyProcessor=XML"
 
 # white-list the user parameter for rule #981260 when the REQUEST_URI is /index.php
@@ -67,10 +67,10 @@
 
drop 
Description: Initiates an immediate close of the TCP connection by sending a FIN packet.
Action Group: Disruptive
Example: The following example initiates an IP collection for tracking Basic Authentication attempts. If the client goes over the threshold of more than 25 attempts in 2 minutes, it will DROP subsequent connections.
SecAction phase:1,id:109,initcol:ip=%{REMOTE_ADDR},nolog
 SecRule ARGS:login "!^$" "nolog,phase:1,id:110,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=25/120"
 SecRule IP:AUTH_ATTEMPT "@gt 25" "log,drop,phase:1,id:111,msg:'Possible Brute Force Attack'"
-
Note : This action depends on each implementation, the server is instructed to drop the connection.
This action is extremely useful when responding to both Brute Force and Denial of Service attacks in that, in both cases, you want to minimize both the network bandwidth and the data returned to the client. This action causes error message to appear in the log “(9)Bad file descriptor: core_output_filter: writing data to the network”
exec 
Description: Executes an external script/binary supplied as parameter.
Action Group: Non-disruptive
Example:
# Run external program on rule match 
+
Note : This action depends on each implementation, the server is instructed to drop the connection.
This action is extremely useful when responding to both Brute Force and Denial of Service attacks in that, in both cases, you want to minimize both the network bandwidth and the data returned to the client. This action causes error message to appear in the log “(9)Bad file descriptor: core_output_filter: writing data to the network”
exec 
Description: Executes an external script/binary supplied as parameter.
Action Group: Non-disruptive
Example:
# Run external program on rule match
 SecRule REQUEST_URI "^/cgi-bin/script\.pl" "phase:2,id:112,t:none,t:lowercase,t:normalizePath,block,\ exec:/usr/local/apache/bin/test.sh"
 
-# Run Lua script on rule match 
+# Run Lua script on rule match
 SecRule ARGS:p attack "phase:2,id:113,block,exec:/usr/local/apache/conf/exec.lua"
 
The exec action is executed independently from any disruptive actions specified. External scripts will always be called with no parameters. Some transaction information will be placed in environment variables. All the usual CGI environment variables will be there. You should be aware that forking a threaded process results in all threads being replicated in the new process. Forking can therefore incur larger overhead in a multithreaded deployment. The script you execute must write something (anything) to stdout; if it doesn’t, Coraza will assume that the script failed, and will record the failure.
expirevar 
Description: Configures a collection variable to expire after the given time period (in seconds).
Supported on Coraza: TBI
Action Group: Non-disruptive
Example:
SecRule REQUEST_COOKIES:JSESSIONID "!^$" "nolog,phase:1,id:114,pass,setsid:%{REQUEST_COOKIES:JSESSIONID}"
 SecRule REQUEST_URI "^/cgi-bin/script\.pl" "phase:2,id:115,t:none,t:lowercase,t:normalizePath,log,allow,\
@@ -87,10 +87,10 @@
 
Normally, variables are inspected only once per rule, and only after all transformation functions have been completed. With multiMatch, variables are checked against the operator before and after every transformation function that changes the input.
noauditlog 
Description: Indicates that a successful match of the rule should not be used as criteria to determine whether the transaction should be logged to the audit log.
Action Group: Non-disruptive
Example:
SecRule REQUEST_HEADERS:User-Agent "@streq Test" "allow,noauditlog,id:120"
 
If the SecAuditEngine is set to On, all of the transactions will be logged. If it is set to RelevantOnly, then you can control the logging with the noauditlog action.
The noauditlog action affects only the current rule. If you prevent audit logging in one rule only, a match in another rule will still cause audit logging to take place. If you want to prevent audit logging from taking place, regardless of whether any rule matches, use ctl:auditEngine=Off.
nolog 
Description: Prevents rule matches from appearing in both the error and audit logs.
Action Group: Non-disruptive
Example:
SecRule REQUEST_HEADERS:User-Agent "@streq Test" "allow,nolog,id:121"
 
Although nolog implies noauditlog, you can override the former by using nolog,auditlog.
pass 
Description: Continues processing with the next rule in spite of a successful match.
Action Group: Disruptive
Example:
SecRule REQUEST_HEADERS:User-Agent "@streq Test" "log,pass,id:122"
-
When using pass with a SecRule with multiple targets, all variables will be inspected and all non-disruptive actions trigger for every match. In the following example, the TX.test variable will be incremented once for every request parameter:
# Set TX.test to zero 
+
When using pass with a SecRule with multiple targets, all variables will be inspected and all non-disruptive actions trigger for every match. In the following example, the TX.test variable will be incremented once for every request parameter:
# Set TX.test to zero
 SecAction "phase:2,nolog,pass,setvar:TX.test=0,id:123"
 
-# Increment TX.test for every request parameter 
+# Increment TX.test for every request parameter
 SecRule ARGS "test" "phase:2,log,pass,setvar:TX.test=+1,id:124"
 
pause 
Description: Pauses transaction processing for the specified number of milliseconds. This feature also supports macro expansion.
Action Group: Disruptive
Example:
SecRule REQUEST_HEADERS:User-Agent "Test" "log,pause:5000,id:125"
 
Warning : This feature can be of limited benefit for slowing down brute force authentication attacks, but use with care. If you are under a denial of service attack, the pause feature may make matters worse, as it will cause an entire Apache worker (process or thread, depending on the deployment mode) to sit idle until the pause is completed.
phase 
Description: Places the rule or chain into one of five available processing phases. It can also be used in SecDefaultAction to establish the rule defaults.
Action Group: Meta-data
Example:
# Initialize IP address tracking in phase 1
@@ -102,11 +102,11 @@
 
For this action to work, the implementation must handle the proxy connection after the interruption notification.
redirect 
Description: Intercepts transaction by issuing an external (client-visible) redirection to the given location..
Action Group: Disruptive
Example:
SecRule REQUEST_HEADERS:User-Agent "@streq Test" "phase:1,id:130,log,redirect:http://www.example.com/failed.html"
 
If the status action is present on the same rule, and its value can be used for a redirection (i.e., is one of the following: 301, 302, 303, or 307), the value will be used for the redirection status code. Otherwise, status code 302 will be used.
rev 
Description: Specifies rule revision. It is useful in combination with the id action to provide an indication that a rule has been changed.
Action Group: Meta-data
Example:
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
     "phase:2,rev:'2.1.3',capture,t:none,t:normalizePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
-
Note : This action is used in combination with the id action to allow the same rule ID to be used after changes take place but to still provide some indication the rule changed.
sanitiseArg 
Description: Prevents sensitive request parameter data from being logged to audit log. Each byte of the named parameter(s) is replaced with an asterisk.
Supported on Coraza: TBI
Action Group: Non-disruptive
Example:
# Never log passwords 
+
Note : This action is used in combination with the id action to allow the same rule ID to be used after changes take place but to still provide some indication the rule changed.
sanitiseArg 
Description: Prevents sensitive request parameter data from being logged to audit log. Each byte of the named parameter(s) is replaced with an asterisk.
Supported on Coraza: TBI
Action Group: Non-disruptive
Example:
# Never log passwords
 SecAction "nolog,phase:2,id:131,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword"
 
Note : The sanitize actions affect only the data as it is logged to audit log. High-level debug logs may contain sensitive data. Apache access log may contain sensitive data placed in the request URI.
sanitiseMatched 
Description: Prevents the matched variable (request argument, request header, or response header) from being logged to audit log. Each byte of the named parameter(s) is replaced with an asterisk.
Supported on Coraza: TBI
Action Group: Non-disruptive
Example: This action can be used to sanitise arbitrary transaction elements when they match a condition. For example, the example below will sanitise any argument that contains the word password in the name.
SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched
-
Note : The sanitize actions affect only the data as it is logged to audit log. High-level debug logs may contain sensitive data. Apache access log may contain sensitive data placed in the request URI.
sanitiseMatchedBytes 
Description: Prevents the matched string in a variable from being logged to audit log. Each or a range of bytes of the named parameter(s) is replaced with an asterisk.
Supported on Coraza: TBI
Action Group: Non-disruptive
Example: This action can be used to sanitise arbitrary transaction elements when they match a condition. For example, the example below will sanitise the credit card number.
# Detect credit card numbers in parameters and 
-# prevent them from being logged to audit log 
+
Note : The sanitize actions affect only the data as it is logged to audit log. High-level debug logs may contain sensitive data. Apache access log may contain sensitive data placed in the request URI.
sanitiseMatchedBytes 
Description: Prevents the matched string in a variable from being logged to audit log. Each or a range of bytes of the named parameter(s) is replaced with an asterisk.
Supported on Coraza: TBI
Action Group: Non-disruptive
Example: This action can be used to sanitise arbitrary transaction elements when they match a condition. For example, the example below will sanitise the credit card number.
# Detect credit card numbers in parameters and
+# prevent them from being logged to audit log
 SecRule ARGS "@verifyCC \d{13,16}" "phase:2,id:133,nolog,capture,pass,msg:'Potential credit card number in request',sanitiseMatchedBytes"
 SecRule RESPONSE_BODY "@verifyCC \d{13,16}" "phase:4,id:134,t:none,log,capture,block,msg:'Potential credit card number is response body',sanitiseMatchedBytes:0/4"
 
Note : The sanitize actions affect only the data as it is logged to audit log. High-level debug logs may contain sensitive data. Apache access log may contain sensitive data placed in the request URI. You must use capture action with sanitiseMatchedBytes, so the operator must support capture action. ie: @rx, @verifyCC.
sanitiseRequestHeader 
Description: Prevents a named request header from being logged to audit log. Each byte of the named request header is replaced with an asterisk.
Supported on Coraza: TBI
Action Group: Non-disruptive
Example: This will sanitise the data in the Authorization header.
SecAction "phase:1,nolog,pass,id:135,sanitiseRequestHeader:Authorization"
@@ -114,7 +114,7 @@
 
Note : The sanitize actions affect only the data as it is logged to audit log. High-level debug logs may contain sensitive data. Apache access log may contain sensitive data placed in the request URI.
severity 
Description: Assigns severity to the rule in which it is used.
Action Group: Meta-data
Example:
SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:CRITICAL,msg:'Restricted HTTP function'"
 
Severity values in Coraza follows the numeric scale of syslog (where 0 is the most severe). The data below is used by the OWASP Core Rule Set (CRS):
It is possible to specify severity levels using either the numerical values or the text values, but you should always specify severity levels using the text values, because it is difficult to remember what a number stands for. The use of the numerical values is deprecated as of version 2.5.0 and may be removed in one of the subsequent major updates.
setuid 
Description: Special-purpose action that initializes the USER collection using the username provided as parameter.
Action Group: Non-disruptive
Supported on Coraza: TBI
Example:
SecRule ARGS:username ".*" "phase:2,id:137,t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}"
 
After initialization takes place, the variable USERID will be available for use in the subsequent rules. This action understands application namespaces (configured using SecWebAppId), and will use one if it is configured.
setrsc 
Description: Special-purpose action that initializes the RESOURCE collection using a key provided as parameter.
Action Group: Non-disruptive
Supported on Coraza: TBI
Example:
SecAction "phase:1,pass,id:3,log,setrsc:'abcd1234'"
-
This action understands application namespaces (configured using SecWebAppId), and will use one if it is configured.
setsid 
Description: Special-purpose action that initializes the SESSION collection using the session token provided as parameter.
Action Group: Non-disruptive
Supported on Coraza: TBI
Example:
# Initialise session variables using the session cookie value 
+
This action understands application namespaces (configured using SecWebAppId), and will use one if it is configured.
setsid 
Description: Special-purpose action that initializes the SESSION collection using the session token provided as parameter.
Action Group: Non-disruptive
Supported on Coraza: TBI
Example:
# Initialise session variables using the session cookie value
 SecRule REQUEST_COOKIES:PHPSESSID !^$ "nolog,pass,id:138,setsid:%{REQUEST_COOKIES.PHPSESSID}"
 
Note: After the initialization takes place, the variable SESSION will be available for use in the subsequent rules. This action understands application namespaces (configured using SecWebAppId), and will use one if it is configured.
Setsid takes an individual variable, not a collection. Variables within an action, such as setsid, use the format [collection].[variable] .
setenv 
Description: Creates, removes, and updates environment variables that can be accessed by the implementation.
Action Group: Non-disruptive
Examples:
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,id:139,nolog,setvar:tx.sessionid=%{matched_var}"
 SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,id:140,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"
@@ -124,21 +124,21 @@
 block,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1', \
 tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, \
 setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
-
Note : When used in a chain this action will be executed when an individual rule matches and not the entire chain.This means that
SecRule REQUEST_FILENAME "@contains /test.php" "chain,id:7,phase:1,t:none,nolog,setvar:tx.auth_attempt=+1" 
+
Note : When used in a chain this action will be executed when an individual rule matches and not the entire chain.This means that
SecRule REQUEST_FILENAME "@contains /test.php" "chain,id:7,phase:1,t:none,nolog,setvar:tx.auth_attempt=+1"
     SecRule ARGS_POST:action "@streq login" "t:none"
 
will increment every time that test.php is visited (regardless of the parameters submitted). If the desired goal is to set the variable only if the entire rule matches, it should be included in the last rule of the chain. For instance:
SecRule REQUEST_FILENAME "@streq test.php" "chain,id:7,phase:1,t:none,nolog"
     SecRule ARGS_POST:action "@streq login" "t:none,setvar:tx.auth_attempt=+1"
 
-
skip 
Description: Skips one or more rules (or chains) on successful match.
Action Group: Flow
Example:
# Require Accept header, but not from access from the localhost 
-SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,skip:1,id:141" 
+
skip 
Description: Skips one or more rules (or chains) on successful match.
Action Group: Flow
Example:
# Require Accept header, but not from access from the localhost
+SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,skip:1,id:141"
 
-# This rule will be skipped over when REMOTE_ADDR is 127.0.0.1 
+# This rule will be skipped over when REMOTE_ADDR is 127.0.0.1
 SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,id:142,deny,msg:'Request Missing an Accept Header'"
-
The skip action works only within the current processing phase and not necessarily in the order in which the rules appear in the configuration file. If you place a phase 2 rule after a phase 1 rule that uses skip, it will not skip over the phase 2 rule. It will skip over the next phase 1 rule that follows it in the phase.
skipAfter 
Description: Skips one or more rules (or chains) on a successful match, resuming rule execution with the first rule that follows the rule (or marker created by SecMarker) with the provided ID.
Action Group: Flow
Example: The following rules implement the same logic as the skip example, but using skipAfter:
# Require Accept header, but not from access from the localhost 
-SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,id:143,skipAfter:IGNORE_LOCALHOST" 
+
The skip action works only within the current processing phase and not necessarily in the order in which the rules appear in the configuration file. If you place a phase 2 rule after a phase 1 rule that uses skip, it will not skip over the phase 2 rule. It will skip over the next phase 1 rule that follows it in the phase.
skipAfter 
Description: Skips one or more rules (or chains) on a successful match, resuming rule execution with the first rule that follows the rule (or marker created by SecMarker) with the provided ID.
Action Group: Flow
Example: The following rules implement the same logic as the skip example, but using skipAfter:
# Require Accept header, but not from access from the localhost
+SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,id:143,skipAfter:IGNORE_LOCALHOST"
 
-# This rule will be skipped over when REMOTE_ADDR is 127.0.0.1 
-SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,id:144,msg:'Request Missing an Accept Header'" 
+# This rule will be skipped over when REMOTE_ADDR is 127.0.0.1
+SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,id:144,msg:'Request Missing an Accept Header'"
 SecMarker IGNORE_LOCALHOST
 
Example from the OWASP CRS:
SecMarker BEGIN_HOST_CHECK
 
@@ -159,8 +159,8 @@
 
Any transformation functions that you specify in a SecRule will be added to the previous ones specified in SecDefaultAction. It is recommended that you always use t:none in your rules, which prevents them depending on the default configuration.
tag 
Description: Assigns a tag (category) to a rule or a chain.
Action Group: Meta-data
Example:
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
  "phase:2,rev:'2.1.3',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
 {TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
-
The tag information appears along with other rule metadata. The purpose of the tagging mechanism to allow easy automated categorization of events. Multiple tags can be specified on the same rule. Use forward slashes to create a hierarchy of categories (as in the example). Tag support Macro Expansions
ver 
Description: Specifies the rule set version.
Action Group: Meta-data
Example:
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
+
The tag information appears along with other rule metadata. The purpose of the tagging mechanism to allow easy automated categorization of events. Multiple tags can be specified on the same rule. Use forward slashes to create a hierarchy of categories (as in the example). (*) Tag does not support Macro Expansions right now (see https://github.com/corazawaf/coraza/issues/1118)
ver 
Description: Specifies the rule set version.
Action Group: Meta-data
Example:
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
  "phase:2,ver:'CRS/2.2.4,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
 {TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
 

-Edit this page on
← Syntax
Execution flow →
  • Powered by a lot of love ❤️ (and code) - By Juan Pablo Tosso and Coraza Contributors
    
\ No newline at end of file
+Edit this page on
    ← Syntax
    Execution flow →
    • Powered by a lot of love ❤️ (and code) - By Juan Pablo Tosso and Coraza Contributors
      
\ No newline at end of file
diff --git a/docs/seclang/directives/index.html b/docs/seclang/directives/index.html
index 7c09e63..5b8188b 100644
--- a/docs/seclang/directives/index.html
+++ b/docs/seclang/directives/index.html
@@ -116,4 +116,4 @@
 be easier to disable an entire group of rules with SecRuleRemoveByTag. Matching is
 by case-sensitive string equality.
      Example:
      SecRuleRemoveByTag attack-dos
 
      Note: OWASP CRS has a list of supported tags https://coreruleset.org/docs/rules/metadata/
      
-Edit this page on
      Syntax →
      • Powered by a lot of love ❤️ (and code) - By Juan Pablo Tosso and Coraza Contributors
        
\ No newline at end of file
+Edit this page on
        Syntax →
        • Powered by a lot of love ❤️ (and code) - By Juan Pablo Tosso and Coraza Contributors
          
\ No newline at end of file
diff --git a/docs/seclang/execution-flow/index.html b/docs/seclang/execution-flow/index.html
index 52ca14f..7895426 100644
--- a/docs/seclang/execution-flow/index.html
+++ b/docs/seclang/execution-flow/index.html
@@ -34,4 +34,4 @@
 # This rule will be evaluated
 SecAction "id:3"
          -Edit this page on
          ← Actions
          Introduction →
          \ No newline at end of file +Edit this page on
          ← Actions
          Introduction →
          \ No newline at end of file diff --git a/docs/seclang/index.html b/docs/seclang/index.html index b8e1a7e..1f6c29f 100644 --- a/docs/seclang/index.html +++ b/docs/seclang/index.html @@ -2,4 +2,4 @@
          \ No newline at end of file +
          \ No newline at end of file diff --git a/docs/seclang/operators/index.html b/docs/seclang/operators/index.html index 4bd5dd6..d5d36ea 100644 --- a/docs/seclang/operators/index.html +++ b/docs/seclang/operators/index.html @@ -172,4 +172,4 @@ setvar:'tx.header_name=/%{tx.0}/'" SecRule TX:header_name "@within /proxy/ /lock-token/ /content-range/ /translate/ /if/" "t:none"
          -Edit this page on
          ← Introduction
          Transformations →
          \ No newline at end of file +Edit this page on
          ← Introduction
          Transformations →
          \ No newline at end of file diff --git a/docs/seclang/syntax/index.html b/docs/seclang/syntax/index.html index a5355b8..c22a8de 100644 --- a/docs/seclang/syntax/index.html +++ b/docs/seclang/syntax/index.html @@ -46,4 +46,4 @@ # we print the args count to the log SecAction "id:3, log, logdata:'%{tx.argcount} arguments found.'"
          -Edit this page on
          ← Directives
          Actions →
          \ No newline at end of file +Edit this page on
          ← Directives
          Actions →
          \ No newline at end of file diff --git a/docs/seclang/transformations/index.html b/docs/seclang/transformations/index.html index 0de18b8..358b847 100644 --- a/docs/seclang/transformations/index.html +++ b/docs/seclang/transformations/index.html @@ -15,4 +15,4 @@ sqlHexDecode Decode sql hex data. Example (0x414243) will be decoded to (ABC).

          base64DecodeExt

          Decodes a Base64-encoded string. Unlike base64Decode, this version uses a forgiving implementation, which ignores invalid characters.

          See blog post on Base64Decoding evasion issues on PHP sites - http://blog.spiderlabs.com/2010/04/impedance-mismatch-and-base64.html

          base64Encode

          Encodes input string using Base64 encoding.

          cmdLine

          In Windows and Unix, commands may be escaped by different means, such as:

          The cmdLine transformation function avoids this problem by manipulating the variable contend in the following ways:

          Example Usage:

          SecRule ARGS "(?:command(?:.com)?|cmd(?:.exe)?)(?:/.*)?/[ck]" "phase:2,id:94,t:none, t:cmdLine"

          compressWhitespace

          Converts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, 0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space characters into one.

          cssDecode

          Decodes characters encoded using the CSS 2.x escape rules syndata.html#characters. This function uses only up to two bytes in the decoding process, meaning that it is useful to uncover ASCII characters encoded using CSS encoding (that wouldn’t normally be encoded), or to counter evasion, which is a combination of a backslash and non-hexadecimal characters (e.g., ja\vascript is equivalent to javascript).

          escapeSeqDecode

          Decodes ANSI C escape sequences: \a, \b, \f, \n, \r, \t, \v, \, ?, ', ", \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in the output.

          hexDecode

          Decodes a string that has been encoded using the same algorithm as the one used in hexEncode (see following entry).

          hexEncode

          Encodes string (possibly containing binary characters) by replacing each input byte with two hexadecimal characters. For example, xyz is encoded as 78797a.

          htmlEntityDecode

          Decodes the characters encoded as HTML entities. The following variants are supported:

          This function always converts one HTML entity into one byte, possibly resulting in a loss of information (if the entity refers to a character that cannot be represented with the single byte). It is thus useful to uncover bytes that would otherwise not need to be encoded, but it cannot do anything meaningful with the characters from the range above 0xff.

          jsDecode

          Decodes JavaScript escape sequences. If a \uHHHH code is in the range of FF01-FF5E (the full width ASCII codes), then the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte will be used and the higher byte zeroed (leading to possible loss of information).

          length

          Looks up the length of the input string in bytes, placing it (as string) in output. For example, if it gets ABCDE on input, this transformation function will return 5 on output.

          lowercase

          Converts all characters to lowercase using the current C locale.

          md5

          Calculates an MD5 hash from the data in input. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hexEncode (for example: t:md5,t:hexEncode).

          none

          Not an actual transformation function, but an instruction to Coraza to remove all transformation functions associated with the current rule.

          normalizePath

          Removes multiple slashes, directory self-references, and directory back-references (except when at the beginning of the input) from input string.

          normalizePathWin

          Same as normalizePath, but first converts backslash characters to forward slashes.

          parityEven7bit

          Calculates even parity of 7-bit data replacing the 8th bit of each target byte with the calculated parity bit.

          parityOdd7bit

          Calculates odd parity of 7-bit data replacing the 8th bit of each target byte with the calculated parity bit.

          parityZero7bit

          Calculates zero parity of 7-bit data replacing the 8th bit of each target byte with a zero-parity bit, which allows inspection of even/odd parity 7-bit data as ASCII7 data.

          removeNulls

          Removes all NUL bytes from input.

          removeWhitespace

          Removes all whitespace characters from input.

          replaceComments

          Replaces each occurrence of a C-style comment (//) with a single space (multiple consecutive occurrences of which will not be compressed). Unterminated comments will also be replaced with a space (ASCII 0x20). However, a standalone termination of a comment (*/) will not be acted upon.

          removeCommentsChar

          Removes common comments chars (/,/, –, #).

          removeComments

          Removes each occurrence of comment (//, –, #). Multiple consecutive occurrences of which will not be compressed.

          Note : This transformation is known to be unreliable, might cause some unexpected behaviour and could be deprecated soon in a future release. Refer to issue #1207 for further information..

          replaceNulls

          Replaces NUL bytes in input with space characters (ASCII 0x20).

          urlDecode

          Decodes a URL-encoded input string. Invalid encodings (i.e., the ones that use non-hexadecimal characters, or the ones that are at the end of string and have one or two bytes missing) are not converted, but no error is raised. To detect invalid encodings, use the @validateUrlEncoding operator on the input data first. The transformation function should not be used against variables that have already been URL-decoded (such as request parameters) unless it is your intention to perform URL decoding twice!

          uppercase

          Converts all characters to uppercase using the current C locale.

          urlDecodeUni

          Like urlDecode, but with support for the Microsoft-specific %u encoding. If the code is in the range of FF01-FF5E (the full-width ASCII codes), then the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte will be used and the higher byte zeroed.

          urlEncode

          Encodes input string using URL encoding.

          utf8toUnicode

          Converts all UTF-8 characters sequences to Unicode. This help input normalization specially for non-english languages minimizing false-positives and false-negatives.

          sha1

          Calculates a SHA1 hash from the input string. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hexEncode (for example, t:sha1,t:hexEncode).

          trimLeft

          Removes whitespace from the left side of the input string.

          trimRight

          Removes whitespace from the right side of the input string.

          trim

          Removes whitespace from both the left and right sides of the input string.

          -Edit this page on
          ← Operators
          Variables →
          \ No newline at end of file +Edit this page on
          ← Operators
          Variables →
          \ No newline at end of file diff --git a/docs/seclang/variables/index.html b/docs/seclang/variables/index.html index 747a06c..529de1e 100644 --- a/docs/seclang/variables/index.html +++ b/docs/seclang/variables/index.html @@ -147,4 +147,4 @@ </employee> </employees>
          -Edit this page on
          ← Transformations
          Quick Start →
          \ No newline at end of file +Edit this page on
          ← Transformations
          Quick Start →
          \ No newline at end of file diff --git a/docs/tutorials/coreruleset/index.html b/docs/tutorials/coreruleset/index.html index 0ad0471..b735329 100644 --- a/docs/tutorials/coreruleset/index.html +++ b/docs/tutorials/coreruleset/index.html @@ -19,4 +19,4 @@ } }

          Configuration

          Please check https://coreruleset.org/installation/ for configuration examples.

          -Edit this page on
          ← Quick Start
          Internals →
          \ No newline at end of file +Edit this page on
          ← Quick Start
          Internals →
          \ No newline at end of file diff --git a/docs/tutorials/index.html b/docs/tutorials/index.html index 6da2633..2b38b66 100644 --- a/docs/tutorials/index.html +++ b/docs/tutorials/index.html @@ -2,4 +2,4 @@
          \ No newline at end of file +
          \ No newline at end of file diff --git a/docs/tutorials/introduction/index.html b/docs/tutorials/introduction/index.html index 14e0187..3cecbf1 100644 --- a/docs/tutorials/introduction/index.html +++ b/docs/tutorials/introduction/index.html @@ -48,4 +48,4 @@ only the phase the rule is defined for.

          Tools

          Development

          Coraza only requires Go for development. You can run mage.go to issue development commands.

          See the list of commands

          go run mage.go -l

          For example, to format your code before submission, run

          go run mage.go format

          Contribute

          Contributions are welcome! Please refer to CONTRIBUTING.md for guidance.

          Thanks

          Companies/Products using Coraza

          Coraza on X/Twitter

          Donations

          For donations, see Donations site

          Thanks to all the people who have contributed

          We could not have done this without you!

          Made with contrib.rocks.

          -Edit this page on
          ← Execution flow
          Operators →
          \ No newline at end of file +Edit this page on
          ← Execution flow
          Operators →
          \ No newline at end of file diff --git a/docs/tutorials/quick-start/index.html b/docs/tutorials/quick-start/index.html index 64cbd08..d50a110 100644 --- a/docs/tutorials/quick-start/index.html +++ b/docs/tutorials/quick-start/index.html @@ -78,4 +78,4 @@ log.Fatal(http.ListenAndServe(":8090", nil)) }
          -Edit this page on
          ← Variables
          OWASP Core Ruleset →
          \ No newline at end of file +Edit this page on
          ← Variables
          OWASP Core Ruleset →
          \ No newline at end of file diff --git a/docs/tutorials/upgrade/index.html b/docs/tutorials/upgrade/index.html index 2ef00a4..089c943 100644 --- a/docs/tutorials/upgrade/index.html +++ b/docs/tutorials/upgrade/index.html @@ -17,4 +17,4 @@ tx.Close() }()

          4. Process phases

          The transaction processing methods in v3 remain mostly the same, with minor changes in naming:

          5. Plugins

          The plugin interfaces have moved into the experimental package. See the plugin documentation.

          -Edit this page on
          ← Using Plugins
          Benchmarks →
          \ No newline at end of file +Edit this page on
          ← Using Plugins
          Benchmarks →
          \ No newline at end of file diff --git a/docs/tutorials/using-plugins/index.html b/docs/tutorials/using-plugins/index.html index 8bdb7d0..9dae8c3 100644 --- a/docs/tutorials/using-plugins/index.html +++ b/docs/tutorials/using-plugins/index.html @@ -9,4 +9,4 @@ _ "github.com/someorg/my-awesome-plugin )
          -Edit this page on
          ← Internals
          Upgrade to v3 🆕 →
          \ No newline at end of file +Edit this page on
          ← Internals
          Upgrade to v3 🆕 →
          \ No newline at end of file diff --git a/index.html b/index.html index 45b17c4..e9d9677 100644 --- a/index.html +++ b/index.html @@ -2,4 +2,4 @@

          OWASP Coraza WAF

          Coraza is an open source, high performance, Web Application Firewall ready to protect your beloved applications.

          Get started

          Open-source Apache 2 Licensed. GitHub v3.2.1

          Security

          Security is what Coraza is for, enforce policies using OWASP CRS or create your own policies to stop attackers and generate important audit information.

          Fast by default ⚡️

          From huge websites to small blogs, Coraza can handle that load with minimal performance impacts, just check our Benchmarks.

          Extensible

          Audit Loggers, persistence engines, operators, actions, create your own functionalities to extend Coraza as much as you want.

          Integrations

          Coraza WAF is just a library but we support many integrations to deploy a WAF as an application server, reverse proxy, container, and more.

          Roadmap

          Expect interesting features and improvements within our community-driven roadmap, for small developers and big companies.

          Enterprise ready

          Continuous development, high performance and great documentation are the recipe for a perfect enterprise open source project.

          \ No newline at end of file +

          OWASP Coraza WAF

          Coraza is an open source, high performance, Web Application Firewall ready to protect your beloved applications.

          Get started

          Open-source Apache 2 Licensed. GitHub v3.2.1

          Security

          Security is what Coraza is for, enforce policies using OWASP CRS or create your own policies to stop attackers and generate important audit information.

          Fast by default ⚡️

          From huge websites to small blogs, Coraza can handle that load with minimal performance impacts, just check our Benchmarks.

          Extensible

          Audit Loggers, persistence engines, operators, actions, create your own functionalities to extend Coraza as much as you want.

          Integrations

          Coraza WAF is just a library but we support many integrations to deploy a WAF as an application server, reverse proxy, container, and more.

          Roadmap

          Expect interesting features and improvements within our community-driven roadmap, for small developers and big companies.

          Enterprise ready

          Continuous development, high performance and great documentation are the recipe for a perfect enterprise open source project.

          \ No newline at end of file diff --git a/index.min.c7aefc107af2934cb6eabd3024c48b5ffba477bab22bc9799653b746185358f9b1a6b77ef355c180888378f5d6d782a1ac6fb69484d36bdb051ece9fd1f19451.js b/index.min.b8ad793efbd4cf6b29c2593a779efca0bf7da6e78c8fe52c37b602180c4508ee492b1d27dca8306e4e1a6315fa3ed394bfe7148a79df6410375cca72e0207cbf.js similarity index 99% rename from index.min.c7aefc107af2934cb6eabd3024c48b5ffba477bab22bc9799653b746185358f9b1a6b77ef355c180888378f5d6d782a1ac6fb69484d36bdb051ece9fd1f19451.js rename to index.min.b8ad793efbd4cf6b29c2593a779efca0bf7da6e78c8fe52c37b602180c4508ee492b1d27dca8306e4e1a6315fa3ed394bfe7148a79df6410375cca72e0207cbf.js index 1721b94..3654e02 100644 --- a/index.min.c7aefc107af2934cb6eabd3024c48b5ffba477bab22bc9799653b746185358f9b1a6b77ef355c180888378f5d6d782a1ac6fb69484d36bdb051ece9fd1f19451.js +++ b/index.min.b8ad793efbd4cf6b29c2593a779efca0bf7da6e78c8fe52c37b602180c4508ee492b1d27dca8306e4e1a6315fa3ed394bfe7148a79df6410375cca72e0207cbf.js @@ -343,7 +343,7 @@ SecRule ARGS "(asfunction|javascript|vbscript|data|mocha|livescript):" tag # Description: Assigns a tag (category) to a rule or a chain. Action Group: Meta-data Example: -SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\\bgetparentfolder\\b" \\ "phase:2,rev:'2.1.3',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \\ {TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" The tag information appears along with other rule metadata. The purpose of the tagging mechanism to allow easy automated categorization of events. Multiple tags can be specified on the same rule. Use forward slashes to create a hierarchy of categories (as in the example). Tag support Macro Expansions +SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\\bgetparentfolder\\b" \\ "phase:2,rev:'2.1.3',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \\ {TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" The tag information appears along with other rule metadata. The purpose of the tagging mechanism to allow easy automated categorization of events. Multiple tags can be specified on the same rule. Use forward slashes to create a hierarchy of categories (as in the example). (*) Tag does not support Macro Expansions right now (see https://github.com/corazawaf/coraza/issues/1118) ver # Description: Specifies the rule set version. Action Group: Meta-data Example: diff --git a/plugins/geoip/index.html b/plugins/geoip/index.html index a5c3386..f4b6b18 100644 --- a/plugins/geoip/index.html +++ b/plugins/geoip/index.html @@ -2,4 +2,4 @@

          GeoIP

          \ No newline at end of file +

          GeoIP

          \ No newline at end of file diff --git a/plugins/index.html b/plugins/index.html index 5436b1a..eb79d1a 100644 --- a/plugins/index.html +++ b/plugins/index.html @@ -5,4 +5,4 @@

          Add plugin on GitHub

          \ No newline at end of file +Compatibility: v2.x

          Adds geoip Maxmind GeoIP2 database support to Coraza

          Add plugin on GitHub

          \ No newline at end of file