Cloudflare Docs
WAF
Edit this page on GitHub
Set theme to dark (⇧+D)

OWASP evaluation example

The following example calculates the OWASP request threat score for an incoming request. The OWASP managed ruleset configuration is the following:

  • OWASP Anomaly Score Threshold: High - 25 and higher
  • OWASP Paranoia Level: PL3
  • OWASP Action: Managed Challenge

This table shows the progress of the OWASP ruleset evaluation:

Rule IDParanoia levelRule matched?Rule scoreCumulative
threat score
0
...1813a269PL3Yes+55
...ccc02be6PL3No5
...96bfe867PL2Yes+510
...48b74690PL1Yes+515
...3297003fPL2Yes+318
...317f28e1PL1No18
...682bb405PL2Yes+523
...56bb8946PL2No23
...e5f94216PL3Yes+326
(…)(…)(…)(…)(…)
...f3b37cb1PL4(not evaluated)26

Final request threat score: 26

Since 26 >= 25 — that is, the threat score is greater than the configured score threshold — the WAF will apply the configured action (Managed Challenge). If you had configured a score threshold of Medium - 40 and higher, the WAF would not apply the action, since the request threat score would be lower than the score threshold (26 < 40).

The Activity log in Security Events would display the following details for the example incoming request handled by the OWASP Core Ruleset:

Event log for example incoming request mitigated by the WAF&rsquo;s OWASP Core Ruleset

In the activity log, the rule associated with requests mitigated by the Cloudflare OWASP Core Ruleset is the last rule in this managed ruleset: 949110: Inbound Anomaly Score Exceeded, with rule ID ...843b323c . To get the scores of individual rules contributing to the final request threat score, expand Additional logs in the event details.