There is a severe security issue in our rule set. It has been present since the release of CRS 3.1.0 and was recently brought to our attention. Here is the official advisory that we are also publishing as CVE-2021-35368 via MITRE (as usual, MITRE will take a few days until they publish this). Offical Advisory …
CVE-2021-35368 – CRS Request Body Bypass (Update) Read More »
A security problem with the OWASP ModSecurity Core Rule Set has been brought to our attention recently. The CRS team is now working on a fix that will be released on Wednesday as 3.1.2, 3.2.1 and 3.3.2. We will make sure to keep the changeset of these bugfix releases minimal in order to allow fast …
The following is a contributing blog post by Floriane Gilliéron. You can reach Floriane via firstname dot lastname at gmail.com. My Master Thesis from EPFL tackled the challenge of using machine learning to improve the performance of a ModSecurity web application firewall, used with the OWASP Core Rule Set. The initiators of the project were …
A new attempt to combine the CRS with machine learning Read More »
CRS is an open source project that struggles to address the issues reported by the community just like so many other open source communities. Everybody enjoys to develop new features (rules!), but grinding away at solving false positives is not necessarily a favorite past time for us. We are falling behind with providing solutions to …
The OWASP ModSecurity Core Rule Set (CRS) project is proud to announce its first Gold Sponsor: NGINX. CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that is distributed under an Open Source license. Dubbed the first line of defense, CRS is the most widspread WAF …
If you are running ModSecurity 3 with request body access disabled, then I have some bad news. Please sit down, this will be a while. If you are running ModSecurity 2, or you give the engine access to the request body, then you are not affected. But maybe you want to read this post nevertheless. …
Disabling Request Body Access in ModSecurity 3 Leads to Complete Bypass Read More »
This blog post is about msc_retest, a small family of tools that let you performance test the regular expression engine used inside various ModSecurity versions. As of this writing, the engine is PCRE, but we expect more options in the future.
The OWASP ModSecurity Core Rule Set (CRS) team has identified a Denial of Service vulnerability in the underlying ModSecurity engine. This affects all releases in the ModSecurity v3 release line. The vendor Trustwave Spiderlabs did not release an update yet. However, we are providing users with a patch for ModSecurity and a workaround if they …
CVE-2020-15598 – ModSecurity v3 Affected By DoS (Severity HIGH) Read More »
Let us present msc_pyparser to you. It is a python library that lets you manipulate ModSecurity rules configuration files. ModSecurity has decent capabilities to manipulate rules at runtime, but msc_pyparser lets you manipulate the config files themselves. This is useful in many situations and the longer we use it, the more use cases pop up. …
Tagging rules is a great feature of ModSecurity since it allows you to add information to your ModSec alert messages. In my tutorial on Embedding ModSec over at netnea.com, I use the tag feature in the default action to add a tag to every alert message from a given service. I do this as follows: …