Skip to content

Commit a2f26d9

Browse files
fzipifzipi
committed
docs: add tools for rule writes
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
1 parent e89576f commit a2f26d9

File tree

1 file changed

+278
-0
lines changed

1 file changed

+278
-0
lines changed

content/6-development/6-7-tools-for-rule-writers.md

Lines changed: 278 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,278 @@
1+
---
2+
title: Tools for Rule Writers
3+
weight: 67
4+
disableToc: false
5+
chapter: false
6+
---
7+
8+
> This page brings together essential tools that help rule writers create better, more effective CRS rules. From testing regular expressions to understanding database behavior, these resources will help you write rules using modern techniques and best practices.
9+
10+
Writing effective WAF rules requires understanding how attacks work, how payloads behave in different contexts, and how to create patterns that detect malicious behavior without causing false positives. The tools listed here will help you throughout the entire rule development process.
11+
12+
## Regular Expression Testing and Development
13+
14+
Regular expressions are the foundation of many CRS rules. These tools help you write, test, and optimize regex patterns.
15+
16+
### regex101
17+
18+
[https://regex101.com](https://regex101.com)
19+
20+
**Essential for rule development.** Provides real-time testing, detailed explanations of regex patterns, and performance analysis. Supports multiple regex flavors including PCRE (used by ModSecurity), Python, JavaScript, and Go. Features include:
21+
22+
- Real-time pattern matching with highlighting
23+
- Detailed breakdown of regex components
24+
- Quick reference and cheat sheet
25+
- Community-shared patterns
26+
- Regex debugging and step-through
27+
28+
### RegExr
29+
30+
[https://regexr.com](https://regexr.com)
31+
32+
A user-friendly regex testing tool with syntax highlighting and contextual help. Includes a searchable library of community patterns and supports PHP/PCRE and JavaScript regex flavors.
33+
34+
### Debuggex
35+
36+
[https://www.debuggex.com](https://www.debuggex.com)
37+
38+
Provides visual regex debugging with railroad diagrams that show how patterns match. Particularly useful for understanding complex regex structures. Supports JavaScript, Python, and PCRE.
39+
40+
### ExtendsClass Regex Tester
41+
42+
[https://extendsclass.com/regex-tester.html](https://extendsclass.com/regex-tester.html)
43+
44+
Online regex debugger supporting multiple languages including PHP (PCRE), Python, Ruby, JavaScript, Java, and MySQL. Features visualization of matches and helpful for testing regex across different platforms.
45+
46+
## Database and Query Testing Playgrounds
47+
48+
Understanding how databases handle SQL queries, comments, spacing, and special characters is crucial for writing effective SQLi detection rules. These online playgrounds let you test query variations without local database setup.
49+
50+
### SQLite Online
51+
52+
[https://sqliteonline.com](https://sqliteonline.com)
53+
54+
Fast and easy-to-use online SQL playground supporting SQLite, MySQL, PostgreSQL, MS SQL Server, and more. Ideal for quickly testing how different databases handle query variations.
55+
56+
### OneCompiler
57+
58+
Online compilers and playgrounds for multiple database systems:
59+
60+
- **MySQL**: [https://onecompiler.com/mysql](https://onecompiler.com/mysql)
61+
- **MongoDB**: [https://onecompiler.com/mongodb](https://onecompiler.com/mongodb)
62+
- **Redis**: [https://onecompiler.com/redis](https://onecompiler.com/redis)
63+
- **PostgreSQL**: [https://onecompiler.com/postgresql](https://onecompiler.com/postgresql)
64+
65+
Excellent for testing how different database systems interpret commands, handle spacing, process comments, and respond to various payload variations.
66+
67+
### DB Fiddle
68+
69+
[https://www.db-fiddle.com](https://www.db-fiddle.com)
70+
71+
Simple interface for running SQL queries against SQLite, MySQL, and PostgreSQL. Includes sample queries and makes it easy to share test cases with others.
72+
73+
### SQL Fiddle
74+
75+
[https://sqlfiddle.com](https://sqlfiddle.com)
76+
77+
Supports a wide range of SQL databases including Oracle, PostgreSQL, MySQL, and SQLite. Useful for testing queries across different database platforms to understand behavior differences.
78+
79+
### PostgreSQL Playground (Aiven)
80+
81+
[https://aiven.io/tools/pg-playground](https://aiven.io/tools/pg-playground)
82+
83+
Free PostgreSQL-specific playground environment. Ideal for testing PostgreSQL-specific attack vectors and command syntax.
84+
85+
### RunSQL
86+
87+
[https://runsql.com](https://runsql.com)
88+
89+
Supports MySQL, PostgreSQL, and SQL Server with a clean interface for testing and learning SQL.
90+
91+
## Encoding and Decoding Tools
92+
93+
Attack payloads often use various encoding schemes to evade detection. These tools help you understand how payloads can be transformed and ensure your rules handle encoded variants.
94+
95+
### URL Encode/Decode
96+
97+
[https://www.urlencoder.org](https://www.urlencoder.org)
98+
99+
Quick URL encoding and decoding. Supports recursive decoding (up to 16 rounds) for payloads that are encoded multiple times. Essential for understanding URL-encoded attack payloads.
100+
101+
### Base64 Encoder/Decoder
102+
103+
[https://aqua-cloud.io/base64-encode-decoder](https://aqua-cloud.io/base64-encode-decoder)
104+
105+
Real-time Base64 encoding/decoding with URL-safe encoding support. Useful for testing API credentials, JWT tokens, and Base64-encoded payloads.
106+
107+
### FusionAuth URL Encoder/Decoder
108+
109+
[https://fusionauth.io/dev-tools/url-encoder-decoder](https://fusionauth.io/dev-tools/url-encoder-decoder)
110+
111+
Encode and decode URL parameters with instant conversion. Helps understand safe transmission of special characters in URLs.
112+
113+
### Toolquix Encode/Decode
114+
115+
[https://toolquix.com/encode-decode](https://toolquix.com/encode-decode)
116+
117+
Multi-format encoding tool supporting ASCII to hex, Base32, ROT13, and more. Useful for testing various encoding transformations that attackers might use.
118+
119+
## XSS and Security Payload Testing
120+
121+
Cross-site scripting (XSS) attacks use various techniques to bypass filters. These resources help you understand XSS vectors and test payload variations.
122+
123+
### PortSwigger XSS Cheat Sheet
124+
125+
[https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
126+
127+
Comprehensive and regularly updated XSS payload reference. Contains vectors designed to bypass WAFs and filters. Essential resource for understanding current XSS techniques and testing rule effectiveness.
128+
129+
### LRQA XSS Payload Generator
130+
131+
[https://www.lrqa.com/en/cyber-labs/cross-site-scripting-xss-payload-generator](https://www.lrqa.com/en/cyber-labs/cross-site-scripting-xss-payload-generator)
132+
133+
Interactive tool for generating XSS payloads with various encoding and obfuscation techniques. Helps test how rules handle different XSS variations.
134+
135+
## HTTP Request Testing Tools
136+
137+
Testing how your rules respond to actual HTTP requests is crucial. These tools help simulate requests and analyze responses.
138+
139+
### HTTPie
140+
141+
[https://httpie.io](https://httpie.io)
142+
143+
Modern, user-friendly command-line HTTP client. More intuitive than curl with JSON support, syntax highlighting, and better output formatting. Great for testing rule behavior with various HTTP requests.
144+
145+
### Hurl
146+
147+
[https://hurl.dev](https://hurl.dev)
148+
149+
Lightweight HTTP testing tool built on libcurl. Allows you to run and test HTTP requests with a simple plain-text format. Excellent for creating repeatable test scenarios.
150+
151+
### ReqBin
152+
153+
[https://reqbin.com/curl](https://reqbin.com/curl)
154+
155+
Online tool for running curl commands without local installation. Useful for quick HTTP request testing and sharing test cases.
156+
157+
### HTTP Header Checker (KeyCDN)
158+
159+
[https://tools.keycdn.com/curl](https://tools.keycdn.com/curl)
160+
161+
Online curl test tool that analyzes HTTP response headers. Useful for understanding how servers respond to different requests and how CRS processes them.
162+
163+
## CRS-Specific Development Tools
164+
165+
These tools are specifically designed for CRS development and are documented elsewhere in this guide.
166+
167+
### crs-toolchain
168+
169+
The CRS developer's toolbelt including the regexp assembler for building optimized regular expressions from data files. See [crs-toolchain documentation]({{% ref "6-2-crs-toolchain.md" %}}).
170+
171+
### go-ftw
172+
173+
Framework for Testing WAFs in Go. Essential for writing and running tests for your rules. See [testing documentation]({{% ref "6-5-testing-the-rule-set.md" %}}).
174+
175+
### Regexp Assembly Syntax Highlighter
176+
177+
Visual Studio Code extension for syntax highlighting of regexp assembly files. Makes it easier to write and maintain regexp data files. Available at [github.com/coreruleset/regexp-assemble-syntax](https://github.com/coreruleset/regexp-assemble-syntax).
178+
179+
For a complete list of CRS development tools including testing frameworks, parsers, and Docker containers, see [Useful Tools]({{% ref "6-6-useful_tools.md" %}}).
180+
181+
## Rule Writing Workflow
182+
183+
Here's a recommended workflow for developing new rules, incorporating many of the tools listed above:
184+
185+
### 1. Understand the Attack
186+
187+
- Research the attack technique you want to detect
188+
- Collect real-world payload examples
189+
- Understand how the payload works in its target context
190+
191+
### 2. Test Payload Behavior
192+
193+
- Use database playgrounds (SQLite Online, OneCompiler, etc.) to understand how databases process the payload
194+
- Test variations: spacing, comments, case sensitivity, encoding
195+
- Note which variations are functionally equivalent and must be detected
196+
197+
### 3. Develop Detection Pattern
198+
199+
- Draft a regular expression to match the attack pattern
200+
- Use regex101.com to test and refine your pattern
201+
- Test against both malicious payloads and legitimate traffic
202+
- Optimize for performance (avoid catastrophic backtracking)
203+
204+
### 4. Consider Evasion Techniques
205+
206+
- Test encoded versions using encoding/decoding tools
207+
- Consider how attackers might obfuscate the payload
208+
- Ensure your pattern handles common bypass techniques
209+
210+
### 5. Decide on Rule Placement
211+
212+
- Determine if this is a new attack requiring a new rule
213+
- Or if it's a variant that should be added to an existing rule
214+
- **Preference**: Extend existing rules when possible rather than creating new ones
215+
216+
### 6. Create or Update Rule
217+
218+
- If extending an existing rule, update the regexp-assemble data file
219+
- Use crs-toolchain to generate the optimized rule
220+
- Follow [contribution guidelines]({{% ref "6-1-contribution-guidelines.md" %}})
221+
222+
### 7. Test Thoroughly
223+
224+
- Write go-ftw tests for your rule
225+
- Test against known attack payloads
226+
- Test against legitimate traffic to minimize false positives
227+
- Test with different payload encodings
228+
- Run the full test suite to ensure no regressions
229+
230+
### 8. Document and Submit
231+
232+
- Document the attack technique your rule detects
233+
- Explain any non-obvious pattern choices
234+
- Submit a pull request following CRS contribution guidelines
235+
236+
## Tips for Effective Rule Writing
237+
238+
- **Start simple**: Begin with basic patterns and add complexity only when needed
239+
- **Test extensively**: Use multiple tools to verify your understanding of attack behavior
240+
- **Consider performance**: Use regex101's performance features to identify slow patterns
241+
- **Think like an attacker**: Use encoding and obfuscation tools to find bypass techniques
242+
- **Minimize false positives**: Test against legitimate traffic patterns
243+
- **Collaborate**: Share your work with the community for feedback
244+
245+
## Additional Resources
246+
247+
- **CRS Contribution Guidelines**: [Section 6.1]({{% ref "6-1-contribution-guidelines.md" %}})
248+
- **Assembling Regular Expressions**: [Section 6.3]({{% ref "6-3-assembling-regular-expressions.md" %}})
249+
- **Testing the Rule Set**: [Section 6.5]({{% ref "6-5-testing-the-rule-set.md" %}})
250+
- **OWASP Testing Guide**: [owasp.org/www-project-web-security-testing-guide](https://owasp.org/www-project-web-security-testing-guide)
251+
252+
## Contributing to This Page
253+
254+
If you know of other useful tools for rule writers, please open an issue or submit a pull request at [github.com/coreruleset/documentation](https://github.com/coreruleset/documentation).
255+
256+
---
257+
258+
**Sources:**
259+
- [regex101](https://regex101.com/)
260+
- [RegExr](https://regexr.com/)
261+
- [Debuggex](https://www.debuggex.com/)
262+
- [ExtendsClass Regex Tester](https://extendsclass.com/regex-tester.html)
263+
- [SQLite Online](https://sqliteonline.com/)
264+
- [OneCompiler](https://onecompiler.com/)
265+
- [DB Fiddle](https://www.db-fiddle.com/)
266+
- [SQL Fiddle](https://sqlfiddle.com/)
267+
- [PostgreSQL Playground](https://aiven.io/tools/pg-playground)
268+
- [RunSQL](https://runsql.com/)
269+
- [URL Encoder](https://www.urlencoder.org/)
270+
- [Aqua Cloud Base64 Encoder](https://aqua-cloud.io/base64-encode-decoder/)
271+
- [FusionAuth URL Encoder](https://fusionauth.io/dev-tools/url-encoder-decoder)
272+
- [Toolquix Encode/Decode](https://toolquix.com/encode-decode)
273+
- [PortSwigger XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
274+
- [LRQA XSS Payload Generator](https://www.lrqa.com/en/cyber-labs/cross-site-scripting-xss-payload-generator/)
275+
- [HTTPie](https://httpie.io/)
276+
- [Hurl](https://hurl.dev/)
277+
- [ReqBin](https://reqbin.com/curl)
278+
- [KeyCDN HTTP Header Checker](https://tools.keycdn.com/curl)

0 commit comments

Comments
 (0)