How do I find the definitions of WAF rules

Website, Application, Performance Security
1

Our Cloudflare Firewall reported the following event.

How do I find precise definitions of each the referenced “score_rules” so that I can understand why a request is triggering these rules?

{
  "action": "drop",
  "clientRequestHTTPMethodName": "POST",
  "clientRequestHTTPProtocol": "HTTP/2",
0a58a9feac2a/submit-form",
  "clientRequestQuery": "",
  "datetime": "2021-01-14T05:17:48Z",
  "ruleId": "981176",
  "source": "waf",
  "matchIndex": 0,
  "metadata": [
    {
      "key": "group",
      "value": "owasp_inbound_blocking"
    },
    {
      "key": "rule_message",
      "value": "Inbound Anomaly Score Exceeded (Total Score: 41, SQLi=6, XSS=10)"
    },
    {
      "key": "score_total",
      "value": "41"
    },
    {
      "key": "score_rules",
      "value": "[\"960024\",\"981257\",\"981245\",\"981242\",\"981246\",\"981243\",\"uri-981173\",\"973335\",\"973334\"]"
    },
    {
      "key": "anomaly_score",
      "value": "41"
    },
    {
      "key": "sqli_score",
      "value": "6"
    },
    {
      "key": "xss_score",
      "value": "10"
    }
  ],
  "sampleInterval": 1
}
2

I guess you need to head over to Cloudflare Dashboard - Firewall tab - Managed Rules tab - Scroll down and click Advanced under Package: OWASP ModSecurity Core Rule Set

image
image1035×422 12.7 KB

Search for the rule ID and you will get the result:

image
image967×426 22.6 KB

3

Thanks but that is not the precise definition of the rule - it is a high level description of the rule. I would like to understand the actual condition it is testing for.

I have worked out that if I edit the JSON request body to remove some string-ified JSON documents (e.g. JSON strings which happen to be parseable as JSON documents) then the overall blocking rule does not trigger, but the string-fied JSON documents are just how the application we are using works and the WAF doesn’t always block JSON bodies that contain such things, but it has in this particular case. I need to understand why this is happening so that I can prevent the WAF randomly destroying the reliability of the request path.

4

I have now determined a construct in our data which is causing the problem.

We have a JSON document that contains something like:

{
  "variables": {
    "quote": {
      "value": "{\"items\":[{\"qty\":22,\"unit_price\":17500,\"gst\":38500,\"category\":\"hardware\",\"sub_category\":\"solarpanel\",\"description\":\"QCELLS Q.MAXX-G2 350 W (CEC PV 60150060)\",\"meta\":{\"warranty_period\":15},\"sku\":\"QCELLS-QMAXX-G2-350W\"}]}"
    }
  }
}

Or when .variables.quote.value is parsed as JSON, it looks like this:

{
  "items": [
    {
      "qty": 22,
      "unit_price": 17500,
      "gst": 38500,
      "category": "hardware",
      "sub_category": "solarpanel",
      "description": "QCELLS Q.MAXX-G2 350 W (CEC PV 60150060)",
      "meta": {
        "warranty_period": 15
      },
      "sku": "QCELLS-QMAXX-G2-350W"
    }
  ]
}

If I edit the elements of the items array in the value to remove the () characters from the “description” property, then the WAF rule does not fire.

Why does this JSON body cause the WAF rules to fire?

5

The OWASP CRS rules are open-source, so you can take a look at the ModSecurity definition.

6

Thanks for the link. I had looked at that repo, but I didn’t understand that there was a renumbering concept.

Now that I understand that I understand that 960024 as reported by CloudFlare is actually defined by 942460 in the OWASP CRS ruleset.

7

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.