0

I am working on a project that realizes the same function as ModSecurity with Spring Cloud Gateway. We also aim to realize the function of reading the core rule set. In other words, we are aiming for a Java version of Web Application Firewall.

However, I am suffering from the following problems.

  • I can't find any documentation about ModSecurity class and method specifications. (Documents like API reference)
  • ModSecurity is written in object-oriented programming, but I don't understand how to replace it with reactive programming of Spring Cloud Gateway.

Question

  1. Is it possible to get documentation on the specifications of each ModSecurity class and method?
  2. Are there any projects or books that might be useful when creating a WAF in Spring Cloud Gateway?
ともしん
  • 1

1 Answers1

0

OWASP CRS dev-on-duty here.

The documentation to you are asking for is probably not existing. However, there are several commercial companies who have re-implemented the Core ModSecurity functionality needed to run OWASP CRS. And I think that is the way to go.

The functionality is probably best specified in the ModSecurity Handbook (-> Feisty Duck website).

Something that is equally promising would be to look into msc_pyparser (-> GitHub) for a day or two. On a conceptual level, this library allows you to read ModSec rule, transpose it and then export it again. You could thus transpose a rule into Java code and create an input (/output) validation filter.

Dharman
  • 30,962
  • 25
  • 85
  • 135
dune73
  • 339
  • 1
  • 3