How to write Custom WAF rule to block new attacks on web application?

1. At first, try to identify the security issue i.e payload or process which normally WAF failed to detect.
2. Based on that develope regex pattern to match that payload.
3. Follow the modsecurity syntax to write a new rule.
4. Save the rule as .conf and include in the default rules directory.
5. Restart the Apache server and start testing the WAF rules.

Security Issue Overview:

1. Start testing the WAF rule i.e Comodo free WAF rules or OWASP crs rules with vulnerable web application and identifying the security issue in their rules.

2. While testing the Free comodo WAF rules, I find some loop hole which allow user to bypass sql injection rules.

3. These are the following payload which free comodo WAF rules failed to detected

     **' /\*!or\*/1=1# <br />
     ' /\*!order\*/ By 1# <br />
     ' || 1=1# <br />
     ' &&  1=1# <br />
     ' /\*!||\*/ 1=1# <br />
     ' /\*!&&\*/  1=1#**
   

4. Fixing the identified security issue by writing custom WAF rule.

Demo Video: Testing free comodo WAF rules

Demo Video: Writing custom rule to block payloads identified while testing using regex expression

Reference:

1. Modsecurity
2. Kali
3. Debuggex
4. OWASP Mutillidae Vulnerable App