Christian Folini

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1

The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.1.1. This is a minor release fixing a Regular Expression Denial of Service weakness (CVE-2019-11387) as well as some minor bugs and false positives. The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. …

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1 Read More »

CRS Project News May 2019

We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go. What has happened in recent weeks Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well …

CRS Project News May 2019 Read More »

Regular Expression DoS weaknesses in CRS

Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs: CVE-2019–11387 CVE-2019–11388 CVE-2019–11389 CVE-2019–11390 CVE-2019–11391 The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We …

Regular Expression DoS weaknesses in CRS Read More »

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0

The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last. A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection. Key features include: * A new set of rules defending against Java injections * Initial …

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0 Read More »

Some Thoughts on why Web Application Firewalls Really Make a Difference

This is a guest piece by Jamie Riden  / @pedantic_hacker. Jamie has been doing penetration tests, secure development training and security code review since 2010 – and other kinds of computer-wrangling for much, much longer. Having been a systems engineer, a coder and now a pen-tester, I’d like to take a brief moment of your …

Some Thoughts on why Web Application Firewalls Really Make a Difference Read More »