[Owasp-modsecurity-core-rule-set] False Negatives (was: OWASP ModSecurity Core Rule Set Community Summit: July 4, 2018, in London)

Christian Folini christian.folini at netnea.com
Wed Mar 21 19:20:10 UTC 2018

Hey Hiranmayi,

On Wed, Mar 21, 2018 at 02:25:32PM +0000, Hiranmayi Palanki wrote:
> What is the recommended Paranoia Level for an enterprise Internet facing
> application, that does not break the application functionality?

I'd say you should put it at least on level 2. This will bring some false
positives and you deal with those as described in the documentation.

> Let’s say if I have the default configuration enabled, and the encoded XSS
> attacks are getting through, what is the best way to block the encoded XSS
> attacks without enabling the higher Paranoia Levels?

If you do not want to use CRS rules, you need to write your own XSS rules
that do a better job than CRS. There are very good XSS documents around,
many of them several pages long with lots of example payloads. You need to
cover all these without breaking your application.

Most people find it easier to use CRS and deal with the false positives.



I have always observed that to succeed in the world one should appear
like a fool but be wise.
-- Charles de Montesquieu

More information about the Owasp-modsecurity-core-rule-set mailing list