Skip to content

What is Coraza?

Roughly speaking, Coraza is the same as ModSecurity / OWASP CRS except for some technical implementation details.

Its main purpose is to provide protection of websites with the OWASP Core Rule Set (CRS):

The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. It aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc.

Technical Details

The website of the OWASP Coraza project (coraza.io) links to the main implementation of the Coraza library at GitHub corazawaf/coraza, described with "OWASP Coraza WAF is a golang modsecurity compatible web application firewall library".

In other words, it is a port of ModSecurity from the original implementation in the C programming language to the Go programming language (Golang), with the main purpose of providing protection of websites to newer architectures where Go is prominently used, including in the cloud (Kubernetes, etc.).

Note that the relation to CRS is even in the name, emphasized if written as CoRaZa, with "coraza" in Spanish meaning an armor or generally a shield or protective barrier.

United Security Provider's Contribution

United Security Providers has implemented a Golang filter for the Envoy reverse proxy that provides the functionality of Coraza for Envoy – and thus also for the Core WAAP –, and has made it available as Open Source on GitHub at united-security-providers/coraza-envoy-go-filter.

This filter provides the general functionality via Seclang directives, namely things like limiting HTTP request and/or response size and, of course, activating OWASP CRS rule sets, plus the ability to tweak things.

In the Core WAAP, there are the following major additions:

  • Simplicity: No need to write/maintain Seclang directives, those are generated automatically from a few simple setttings.
  • GraphQL Protection: Via a proprietary plugin for the Coraza filter, GraphQL can be specifically protected.
  • Auto-Learning: Via a command line tool, rule exceptions for CRS and maxima for GraphQL can be automatically learned from logs.

Note that including GraphQL validation as part of Coraza has the implicit benefit that buffer allocation and JSON parsing is only done once on routes where both CRS and GraphQL validation are active, thus reducing memory and CPU footprint.

In the future further dedicated validations might be added, with potentially similar benfits.

Core WAAP Coraza Settings

  • Settings regarding Coraza in general (e.g. activation or request size limits) are specified at spec.coraza and spec.routes[].coraza in the API Reference.
  • Settings regarding specifically CRS are specified at spec.coraza.crs and spec.routes[].coraza.crs in the API Reference, plus there is a basic overview in the section CRS.
  • Settings regarding specifically GraphQL are specified at spec.coraza.graphql and spec.routes[].coraza.graphql in the API Reference, plus there is a basic overview in the section GraphQL.