Make PSU comply with OWASP Core Rule Set (CRS)

Hi everyone,

I'm currently running a setup with a WAF using the OWASP Core Rule Set (CRS). I've encountered two specific rules causing total page blanking (403 errors) for legitimate traffic.
While i can change the rule set and make exclusions, i was hoping that there could be changes made to PSU so others wont run into the same problem.


1. Rule 943120 Possible Session Fixation Attack: SessionID Parameter Name with No Referrer
Legitimate requests containing a sessionID parameter are blocked if the Referrer header is missing.
In the logs the /dashboardhub path was flagged with this rule on every app page, causing it to load blank pages.
AI was suggesting moving the session id to a cookie instead of the URL parameter to get around the rule trigger.

2. Rule 942421 (SQL Injection - Special Characters)
Requests are blocked when the .NET cookies contains a high number (3) of special characters.

Environment:
- Docker hosted reverse proxy "Caddy" with Coraza plugin: https://github.com/docker-servers/coraza-caddy
- CRS Version: 4.25.0

Index of all rules: https://web.archive.org/web/20230901104426/https://www.netnea.com/cms/core-rule-set-inventory/

Here are a few more rules that i observed in detection mode but ultimately where irrelevant after blocking the 2 rules above.



Thanks!