For mitigating against false positives, you need to exclude the parameters from being checked for XSS at the Rule Group level. The following is a typical mitigation workflow that an administrator user follows to handle false positives using Exceptions.
Admin is aware that many requests are denied.
Procedure
- Scanning the App log analytics shows requests from many IPs that got blocked because of the offending
ARGS:img. - Clicking the offending parameter opens Analytics and shows that this
ARGS:imghad n number of denied requests the previous day. - Admin identifies this as a standard functionality within the application (might ask Dev team).
- Admin clicks Add Exception.
- Admin chooses one or more of the suggestions: parameter, IP and/or parameter.
- New Exception (
NONE, "foo/bar_form.php", ARGS:img) is put in place for the CRS XSS rule group.
Results
False positives are handled using Exceptions.
