How to improve resistance to comment-based evasions ?

[touchweb-vincent]

Description

Hello,

As you can see here, PL1 is vulnerable to comment-based evasions: https://github.com/coreruleset/coreruleset/pull/4325

curl -H "x-format-output: txt-matched-rules" \
     -H "x-crs-paranoia-level:1" \
     "https://sandbox.coreruleset.org/" \
     -d 'test=mod(1,2)%3BINSERT%20%2F%2Atest%2A%2FINTO%20category%28id%29%20VALUES%20%283%29-- -'

This PR proposes reducing the sensitivity of two OWASP rules in order to address this.

However, the coverage is incomplete, so a second PR is needed: https://github.com/coreruleset/coreruleset/pull/4328

This second PR proposes strengthening the handling of all C-type comment forms.

Both PRs have been running on our side for years with no false positives observed on front-office traffic.

The (very rare) false positives we did encounter always occurred in back-offices, usually because of WYSIWYG editors that allow sending HTML/CSS/JS and developers who add comments in their content. So it’s not a true false positive, but we have to handle it as one by design.

Given that BO environments - by design - trigger a large number of PL1 rules in CMS contexts, these two PRs are not considered to worsen the false-positive situation in BOs, which are already complex to manage.

What do you think about these PRs?

Do you see a better way to approach this in order to improve the protection provided by PL1?

PL2+ is largely avoided by most third parties, based on what we’ve observed here.

Thank you for your time.

[dune73]

This is a worth while discussion. Thanks for launching it.