owasp-modsecurity-crs
owasp-modsecurity-crs copied to clipboard
SpiderLabs
Crazy Long Processing time of XML of a certain kinda payload body.
Describe the bug
Seems an application/xml payload that uses lots of > and < chars in the place of the actual < >'s will cause insane WAF processing time(you end up with one fairly large XML element containing all this data as string in the long running XML one.
With regular < >'s keeping a full XML schema+elements the whole time: 3.7 seconds e2e on a 450kb payload for me.
With the > and < chars in the place of the actual < >'s: 40+ seconds e2e 549kb payload
Unsure currently what rule its hanging on, I suppose DEBUG mode would give us some insight on where eats the most time.
Steps to reproduce
Non-issue case HTTP Post body example:
Issue case HTTP Post body example:
Expected behaviour
Would have not expected WAF to hang and process on the XML body this long.
Actual behaviour
Additional context
Your Environment
- CRS version (e.g., v3.2.0): 3.2/master
- Paranoia level setting: PL 1
- ModSecurity version (e.g., 2.9.3): 3.0.4
- Web Server and version (e.g., apache 2.4.41): NGINX
- Operating System and version: Linux Alpine
Update: Did remove 200000 on my test for this call to see if it removed the slowness(ModSec XML Parse rule), and it did not make things faster.
Ran some more tests tonight, nothing fixed it until I straight up disabled the engine:
# Had to disable to fix the "slow processing" issue.
SecRule REQUEST_URI "@contains /ExampleService/v" \
"id:14,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleEngine=Off,\
ctl:ruleRemoveById=920273,\
ctl:ruleRemoveById=920272,\
ctl:ruleRemoveById=920260,\
ctl:ruleRemoveById=920240,\
ctl:ruleRemoveById=931110,\
ctl:ruleRemoveById=200000,\
ctl:ruleRemoveById=920470,\
ctl:ruleRemoveTargetById=941160;XML:/*"
URI edited for privacy reasons here :P . But yeah unsure where the slowdown is...