Hello,
I use CRS rules (version 4.0) with a WAF to protect the vaultwarden instance.
I’m working on reducing the blocking threshold of incoming request to improve the security.
At the moment i’m working on this false positive : Rule 920273 Invalid character in request. It is pretty much self explanatory. It’s a very strict rule at paranoia level 4 and it fights special characters fiercly.
The arguments that are concerned :
ARGS:json.login.username
ARGS:json.login.uris.0.uri
ARGS:json.login.password
ARGS:json.passwordHistory.1.password
ARGS:json.passwordHistory.0.password
The uri concerned : “/api/ciphers”
I have think of this choice several choices but since i struggle to evaluate the risk by desactivating this rules on the uri, i’m asking for your advice.
i identified 3 options today,
- Completly remove the rule 920273 : 1 rules have to be created.
i’m not very exited about this one - Remove the rule for the uri /api/cypher : 1 rules have to be created.
Ok cool, but is it too much ? - remove the rule for the uri /api/cypher for each ARGS : 3 rules have to be created and maybe more since i notice that the password Hisotory can change.
it will be hard to maintain
The best option, but i don’t know if it is feasible, is to use as baselien the option 3 but instead of specifying for each rule the ARGS we use a regex.
UPDATE:Well with some research, this is not possible the WAF doesn’t support this…
What do you think ?
Regards