Juan Pablo Tosso

Cybersecurity Research Engineer

Backend Developer

Penetration Tester

Open-Source Developer

Juan Pablo Tosso
Juan Pablo Tosso
Juan Pablo Tosso
Juan Pablo Tosso

Cybersecurity Research Engineer

Backend Developer

Penetration Tester

Open-Source Developer

Blog Post

Coraza has reached 100% compatibility with OWASP Core Ruleset

December 11, 2021 Coraza

I began this project in July 2020, it’s been 17 months of hard work and a lot of redesigns but now the moment has finally come 🙂

Achieving 100% compatibility with CRS was a core objective of this project, now that it’s done, it’s the beginning of a new phase, optimization and new features!

I want you to celebrate with me so I will provide all the tools so you can test yourself the 100% compatibility but first a few things you must understand.

  1. OWASP CRS regression tests are YAML files compatible with go-ftw, you can find the yaml files here.
  2. Coraza is not compatible with go-ftw because it requires a web server implementation and logs compatible with microseconds.
  3. YAML test files can be processed using the Coraza Testing package under /testing.
  4. There is a special repository designed to help debug go-ftw tests, it’s coraza-testsuite.
  5. There are 33 tests that are no compatible with Coraza, because the invalid urlencoded payloads are going to be stopped by URLENCODED_ERROR, and a standard implementation would stop that request. Coraza’s url processing is fully RFC compliant.
  6. There are 5 tests that are not compatible with Coraza today but are pending update on the CRS side, those rules uses quadruple backslash (\\\\) and Coraza parses them as 4 literal backslashes, the rule modifications should change from \\\\ to \x5c. (920460 and 941330)
  7. There is one test that doesn’t work because it uses an invalid multipart, non compliant with the RFC, which will be stopped by Coraza before triggering this rule. (932180)
  8. Finally, there are 3 tests that won’t work because of a bug in the rule’s regular expression (920450).
  9. CRS compatibility requires the coraza-libinjection and coraza-pcre plugins, also libinjection and libpcre-dev installed.

Update 1

Now you can run CRS tests on Coraza using go-ftw, the test configurations can be download from this link.

go install github.com/fzipi/go-ftw@latest
git clone https://github.com/coreruleset/coreruleset
wget https://raw.githubusercontent.com/jptosso/coraza-waf/v2/master/coraza.conf-recommended -O coraza.conf
git clone https://github.com/jptosso/coraza-caddy
sed -i 's/\/\/ _ "github.com/_ "github.com/g' coraza-caddy/caddy/main.go
go install coraza-caddy/caddy/main.go
wget https://gist.githubusercontent.com/jptosso/bea81ca0de225b3e09846f627abc5b74/raw/cbec9526280400bbbdb1de51460d6dc748c116ab/.ftw.yaml
wget https://gist.githubusercontent.com/jptosso/bea81ca0de225b3e09846f627abc5b74/raw/cbec9526280400bbbdb1de51460d6dc748c116ab/Caddyfile
caddy start -adapter caddyfile -config ./Caddyfile
go-ftw run -d coreruleset/tests/regression


To test the rules you must type the following commands:

git clone https://github.com/coreruleset/coreruleset
go install github.com/jptosso/coraza-testsuite@628b960
wget https://raw.githubusercontent.com/jptosso/coraza-waf/v2/master/coraza.conf-recommended -O coraza.conf
coraza-testsuite run -crs -d ./coreruleset/tests/regression -r "./coraza.conf,./coreruleset/crs-setup.conf.example,./coreruleset/rules/*.conf"

And the expected result should be:

203 profiles were loaded
Skipping 920120-4
Skipping 920120-6
Skipping 920120-7
Skipping 920181-1
Skipping 920240-1
Skipping 920240-5
Skipping 920240-6
Skipping 920460-1
Skipping 920460-2
Skipping 920460-3
Skipping 920460-4
Skipping 921150-1
Skipping 921160-1
Skipping 932140-3
Skipping 932180-2
Skipping 941110-6
Skipping 941130-2
Skipping 941130-4
Skipping 941130-6
Skipping 941130-9
Skipping 941130-10
Skipping 941130-11
Skipping 941130-12
Skipping 941130-14
Skipping 941130-16
Skipping 941280-2
Skipping 941330-1
Skipping 942100-10
Skipping 942100-13
Skipping 942150-6
Skipping 942260-6
Skipping 942260-17
Skipping 942490-17
Failed: []
Passed 2562/2562 (100.00% passed)

You can debug a single test of a pattern of tests using the -i option to pick the tests and the –debug option for debugging, for example:

coraza-testsuite run -crs -d ./coreruleset/tests/regression -r "./coraza.conf,./coreruleset/crs-setup.conf.example,./coreruleset/rules/*.conf -i "942490-" --debug

Thanks to everyone who has helped to make this possible 🙂 And feel free to post any issue or comment about the tests.

Special thanks to @fzipi for his help debugging (and being a super rubber duck debugger 😂)

Write a comment