What is the risk?

Hello,

I use CRS rules (version 4.0) with a WAF to protect the vaultwarden instance.
I’m working on reducing the blocking threshold of incoming request to improve the security.
At the moment i’m working on this false positive : Rule 920273 Invalid character in request. It is pretty much self explanatory. It’s a very strict rule at paranoia level 4 and it fights special characters fiercly.

The arguments that are concerned :
ARGS:json.login.username
ARGS:json.login.uris.0.uri
ARGS:json.login.password
ARGS:json.passwordHistory.1.password
ARGS:json.passwordHistory.0.password

The uri concerned : “/api/ciphers”

I have think of this choice several choices but since i struggle to evaluate the risk by desactivating this rules on the uri, i’m asking for your advice.

i identified 3 options today,

  1. Completly remove the rule 920273 : 1 rules have to be created.
    i’m not very exited about this one
  2. Remove the rule for the uri /api/cypher : 1 rules have to be created.
    Ok cool, but is it too much ?
  3. remove the rule for the uri /api/cypher for each ARGS : 3 rules have to be created and maybe more since i notice that the password Hisotory can change.
    it will be hard to maintain :frowning:

The best option, but i don’t know if it is feasible, is to use as baselien the option 3 but instead of specifying for each rule the ARGS we use a regex.
UPDATE:Well with some research, this is not possible the WAF doesn’t support this…

What do you think ?

Regards