Help with ctl:ruleRemoveTargetByXX on a REQUEST_COOKIES containing a space

[zeylos]

Hello there,

I've been strugling with a very basic rule exclusion and ended up posting here in despair.
I want to exclude a session cookie from every rules, this is an example of what I don't want to trigger (line truncated) :

Coraza: Warning. PHP Injection Attack: Configuration Directive Found [id \"933120\"] [msg \"PHP Injection Attack: Configuration Directive Found\"] [data \"Matched Data: SMTP found within MATCHED_VARS:REQUEST_COOKIES: _DS_session: ljCF/FqnHip7N9b8pl631b9BlPiSffbA0v1wayu2YhwkIxSY3kwImyScuDVL0JvkcZMrDPJkndYlSMTPXXX\"]

This was my first unsuccessful try :

SecAction \
    "id:1001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES: _DS_session"

After reading some code I found out that ruleRemoveTargetByTag is wrapped arround ruleRemoveTargetById, so I tried this :

SecAction \
    "id:1001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetById=933120;REQUEST_COOKIES: _DS_session"

which didn't work either, I tried without a space, I tried to escape the space, I tried regex, I even tried to remove REQUEST_COOKIES entirely, I tried phase 1, phase 2, but the line still shows and I'm out of ideas.
I'm doing my tests with a random cookie containing the string "SMTP" to trigger the rule 933120.
I have another equivalent rule for a csrf token that works perfectly :

SecAction \
    "id:1002,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=language-php;REQUEST_COOKIES:_csrf_token"

Am I missing something on rule 1001 ?

Thanks in advance for the help 🙏

[jptosso]

Have you tried adding the exclusion to REQUEST_HEADERS.Cookie too? Cookies are contained in two variables
There is also a space in here:
OOKIES: _DS_session", and that is not right

[zeylos]

I just tried REQUEST_HEADERS.Cookie without success, each of my tries have been done with and without the space before _DS, I put the space on my first tries because it appeared this way in coraza's logs (see my first code block)

[zeylos]

Hello,

After some tests it looks like there is indeed a bug with that blank space before the cookie. The app is sometimes sending cookies with a space or something before, and crs rules don't seem to be able to match this. I'll get in touch with the devs and see if we can fix that.

In the meatime I tried these rules to remove cookies from all rules :

SecAction \
    "id:1010,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES"
SecAction \
    "id:1011,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_HEADERS.Cookie"

but I still have matches for some reason, I really don't get why.

Do I have a solution to remove cookies from scanning entirely ?

[zeylos]

If anyone spawns here for answer, initial bug fixed by #942 , didn't find a way to remove cookies entirely because it looks like coraza does not support removing an entire col for now

[jptosso]

Please feel free to create a new issue for column deletion

Best

[zeylos]

To be transparent I'm a sysadmin learning golang, I was thinking about trying a PR but I'll definitly make an issue if it gets too difficult for me :D.

Cheers