Hi Blason,
If the Core Rule Set isn't aware that a variable is encoded then it
will not decode it. For example, we generally don't Base64 decode
arguments by default. Doing so would measurably impact performance. We
only perform decoding in rules where it is directly relevant, for
example some of the JavaScript rules perform Base64 decoding where
Base64 encoded values are likely to be encountered.
For use cases like yours, we provide an official CRS plugin to perform
automatic decoding of arguments: the Automatic Decoding Plugin. It can
be found here:
https://github.com/coreruleset/auto-decoding-plugin
Note that this plugin can have a significant performance impact and
should be tested and observed thoroughly if used in production:
“Generic transformations mean a severe performance impact and should
be enabled with caution… [each] parameter at PL4 will bring a whopping
1 + 66 [additional] parameters.”
The auto decoding plugin should cause several CRS rules to match
against the payload you provided in your email, like so:
Anomaly Scores: (Inbound Scores: blocking=41, detection=41,
per_pl=15-10-3-13, threshold=5)…ver "OWASP_CRS/4.0.0-rc1"…
With regards,
Andrew @ CRS Dev Retreat Italy 2022