Christian Folini
Christian Folini
No need to rush this before the CRS4 release. But it's something to accompany the documentation.
This is a list of links to online collections of WAF (bypass) payloads. Worth a closer look. https://github.com/mgm-sp/WAF-Payload-Collection
I took a peek at https://github.com/nemesida-waf/waf-bypass It runs a great many payloads against WAFs and reports bypasses and also a few FPs. CRS does OK, but still quite a few...
https://www.youtube.com/@owaspmodsecuritycoreruleset
### Description Here is a selection of clients using the Content-Encoding HTTP request header that is now restricted via tx.restricted_header. Selection: ``` 160 imo-android 7334376963547694939 162 iPhone7,2/12.5.4 (16H50) 164 imo-android...
### Description An XML containing the following XSS is not flagged as attack. Ignored up to PL4: ``` $ curl -H "x-crs-paranoia-level: 4" -H "x-format-output: txt-matched-rules" -H "x-backend: apache" -H...
## Describe the bug I sent an email to contact address listed in https://github.com/cloudflare/pingora/blob/main/.github/CONTRIBUTING.md This is the delivery failure I got: ``` Hello xxxx, We're writing to let you know...
Version: castget-rel_2_0_0 ``` $ configure --prefix=/usr/local/castget ... $ make make all-recursive make[1]: Entering directory '/tmp/castget-rel_2_0_0' Making all in tests make[2]: Entering directory '/tmp/castget-rel_2_0_0/tests' make[2]: Nothing to be done for 'all'....
http://www.tutorialspoint.com/http/http_requests.htm mentions: ``` The absoluteURI is used when an HTTP request is being made to a proxy. The proxy is requested to forward the request or service from a valid...
We are blacklisting illegal request headers, but with Apache concatenating duplicate headers before we get a chance to count them etc. it makes sense to whitelist the format of several...