The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.1.1. This is a minor release fixing a Regular Expression Denial of Service weakness (CVE-2019-11387) as well as some minor bugs and false positives. The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. …
Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1 Read More »
We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go. What has happened in recent weeks Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well …
Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs: CVE-2019–11387 CVE-2019–11388 CVE-2019–11389 CVE-2019–11390 CVE-2019–11391 The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We …
We are back with the CRS project news. The news are running very, very late in the month as I’ve been held up with other projects. What has happened in recent weeks Miyuru Sankalpa has started to publish a transformed GeoIP database in the legacy format readable by ModSecurity 2.x under a creative commons. This …
We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU). What has happened in recent weeks We have reached 1500 stars …
I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection. What has happened in recent weeks CRS 3.1 has been released bringing new rules to detect Java injections and …
The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last. A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection. Key features include: * A new set of rules defending against Java injections * Initial …
Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0 Read More »
The plan is to do this newsletter every month, but it’s already November. The reason is the pending 3.1 release, so I waited for the release to happen and then it did not and suddenly October was over. But now we have a 3.1-RC2 and a strong belief that 3.1 will come out for good …
We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project. The most important news is the publication of the release candidate 1 for CRS 3.1. What has happened in recent weeks CRS 3.1 RC1 has …
This is a guest piece by Jamie Riden / @pedantic_hacker. Jamie has been doing penetration tests, secure development training and security code review since 2010 – and other kinds of computer-wrangling for much, much longer. Having been a systems engineer, a coder and now a pen-tester, I’d like to take a brief moment of your …
Some Thoughts on why Web Application Firewalls Really Make a Difference Read More »