Blogs
United Security Providers becomes Gold Sponsor of CRS
We are excited to announce Swiss IT security specialist United Security Providers (USP) as new Gold Sponsor of OWASP CRS. As a software manufacturer and specialist for application and network security products, USP has been using CRS for a long time: it is an important component of the company’s commercial web access management solution.
“With their enhancements and bug fixes, our developers contribute to the further development of the project and thus give something back to the community,” emphasizes Christoph Koch, CEO at USP. “An even closer exchange between our software developers and the CRS project team is equally beneficial for both sides. The CRS benefits from the experience of our developers in customer contact and we can pass on the power of the open-source community to our customers. In this way, we complement each other.” For USP, supporting the CRS project underlines its strategic importance in maintaining the quality and security of its own products at the highest level.
CRS versions 4.6.0 and 3.3.6 have been released
We have recently released version 4.6.0 for CRS 4, fixing a serious problem. As this problem affects CRS 3 as well, we also did a backport release for v3. (3.3.6). All users are requested to update to the new releases.
The new releases tackle two multipart file upload bypass methods that were reported by @luelueking:
- Wrapping the Content-Disposition with non-printable characters like \x0e (e.g. “%0e Content-Disposition %0e”) may allow the header to go undetected by the WAF engine as it may not be correctly parsed.
- Inserting the character \ in a filename (e.g. “1.j\s\p”) may let the filename go undetected.
The fixes introduced in both versions are the same:
Felipe named OWASP’s Project Person of the Year 2024
The 2024 OWASP Waspy Awards winners are here – and CRS co-leader Felipe Zipitría has been awarded “Project Person of the Year”! This win is a well-earned confirmation for Felipe’s hard work for the CRS project and the open-source community in general.
The purpose of the WASPY Awards is to bring recognition to those individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized. Individual members of the OWASP Foundation were invited to vote by e-mail. Further winners of a WASPY are Martin Knobloch (Chapter Person of the Year) and Shruti Kulkarni (Event Person of the Year).
Registration for the OWASP CRS Community Summit 2024 - Lisbon, June 26
We had previously announced the date and the location of our 2024 community summit. But it’s about time to start the formal registration so we can finalize our planning.
We’re meeting in the on Wednesday June 26 at the Hyatt Regency for the 2024 CRS Community Summit. This is right next to the Lisbon Conference Center where the OWASP AppSec conference is happening Thursday and Friday.
We will start at 09:30 local time in the room Alfama III with coffee and then talks and workshops from 10:00.
Meet the CRS team: Jozef, the cat loving father from Slovakia
Programming and entrepreneurship run in Jozef Sudolsky’s family. When he’s not working for his own web hosting company or for the CRS project, you can find him working out at the gym or in his large garden - or just playing with his daughter. His office is at the same time his daughter’s playroom.
Save the date: CRS Community Summit on June 26 in Lisbon
The CRS project will once again hold its Community Summit the day before OWASP’s Global AppSec Conference – this year in the capital of Portugal.
The whole CRS community – users, developers, integrators, and sponsors – is invited to meet on Wednesday, June 26 for an exchange of thoughts, technical talks, and networking.
The program is still in the making. We plan a variety of talks about CRS 4, ModSecurity and Coraza. The following items will be part of the summit program:
CRS version 4.1.0 released
Last week, we have released CRS v4.1.0. The new release is the first according to the new monthly release schedule and brings a couple of new features and fixes.
It includes quality improvements via better rule linting and fixes for false positives across a handful of rules.
And: new developer Esad Cetiner has joined the team intime for the 4.1 release.
Read the changelog here.
New feature spotlight: Early Blocking
One of the new features added in CRS 4 is Early Blocking. This optional new setting allows blocking decisions to be made earlier than usual.
How it works
CRS request detection rules take place in two phases. The rules of the first phase are executed after the server has received the HTTP request line and the request headers. The rules of the second phase are executed once the request body has been received and parsed.
The OWASP CRS project mourns the death of Co-Leader Walter Hop
Walter died last week and we are at a loss of words. For CRS, he has been a wonderful friend, a strong colleague, a developer with an impressive knowledge of PHP and WordPress in particular, a very smart thinker and one of very few regex wizards. He was also a dedicated Pokemon Go player and I remember how he would go for walks in the afterhours of IT conferences to hunt for some rare beasts. He enjoyed nature that way and the occasional catch in remote places.