title

Introducing the CRS Sandbox | CRS Project

charset

utf-8

viewport

width=device-width,initial-scale=1

Content-Security-Policy

upgrade-insecure-requests

description

The OWASP ModSecurity Core Rule Set project is very happy to present the CRS Sandbox. It’s an API that allows you to test an attack payload against CRS …

og:url

https://coreruleset.org/20211209/introducing-the-crs-sandbox/

og:site_name

CRS Project

og:title

Introducing the CRS Sandbox

og:description

The OWASP ModSecurity Core Rule Set project is very happy to present the CRS Sandbox. It’s an API that allows you to test an attack payload against CRS without the need to install a ModSecurity box or anything. Here is how to do this: $ curl -H "x-format-output: txt-matched-rules" "https://sandbox.coreruleset.org/?search=<script>alert('CRS+Sandbox+Release')</script>" 941100 PL1 XSS Attack Detected via libinjection 941110 PL1 XSS Filter - Category 1: Script Tag Vector 941160 PL1 NoScript XSS InjectionChecker: HTML Injection 949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 15) 980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0 As you can see, curl is calling our sandbox with an XSS payload and the sandbox returns the list of CRS rules that the request triggered. If you are unfamiliar with CRS, then the important part is that there are several rules that triggered / detected something. And the total “anomaly score” of 15, which is far beyond the default anomaly threshold of 5 that gets a request blocked for looking like an attack.

og:locale

en

twitter:card

summary_large_image

twitter:image

https://coreruleset.org/images/social-preview.svg

twitter:title

Introducing the CRS Sandbox

twitter:description

The OWASP ModSecurity Core Rule Set project is very happy to present the CRS Sandbox. It’s an API that allows you to test an attack payload against CRS without the need to install a ModSecurity box or anything. Here is how to do this: $ curl -H "x-format-output: txt-matched-rules" "https://sandbox.coreruleset.org/?search=<script>alert('CRS+Sandbox+Release')</script>" 941100 PL1 XSS Attack Detected via libinjection 941110 PL1 XSS Filter - Category 1: Script Tag Vector 941160 PL1 NoScript XSS InjectionChecker: HTML Injection 949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 15) 980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0 As you can see, curl is calling our sandbox with an XSS payload and the sandbox returns the list of CRS rules that the request triggered. If you are unfamiliar with CRS, then the important part is that there are several rules that triggered / detected something. And the total “anomaly score” of 15, which is far beyond the default anomaly threshold of 5 that gets a request blocked for looking like an attack.

apple-touch-icon

https://coreruleset.org/apple-touch-icon.png

icon

https://coreruleset.org/favicon.ico

icon

https://coreruleset.org/favicon.svg

icon

https://coreruleset.org/favicon-32x32.png

preload

https://coreruleset.org/fonts/nunito-v25-latin-regular.woff2