OWASP CRS is a cornerstone in the cybersecurity landscape, providing essential protection against web application attacks. With the release of CRS 4 earlier this year, the project has reached new heights in terms of rules and functionality. As the project continues to evolve, the need for long-term support (LTS) becomes crucial to ensure its sustainability and effectiveness. Many organizations are planning a migration of their extensive CRS 3.3 setups to the stronger CRS 4, but they are waiting for an LTS release as a signal that CRS 4 has reached the stability they are seeking for their installation. In this blog post, we explore the significance of CRS 4 LTS and the call for sponsorship to support this essential initiative.
“With child-friendly breaks for families of all ages, there’s something for everyone on a Center Parcs break. Discover the forest and enjoy precious family time together in our picturesque lodges,” reads the description on the Center Parcs website. Does this also apply to open source projects? The OWASP CRS project is about to find out, as the CRS core team is meeting from November 1st to 8th for the annual developer retreat at the Woburn Forest site of this traditional British institution for young family holidays.
The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7.
For downloads and installation instructions, please refer to the Installation page.
These are security releases which fix a recently discovered partial request body bypass of CRS. On some platforms running CRS v3.3.6 and earlier on the v3 release line or v4.7.0 and earlier on the v4 release line, it is possible to submit a specially crafted multipart or JSON request whose body content will bypass the inspection of the majority of CRS rules on a default installation. CRS users are strongly encouraged to update to a fixed version to resolve this issue.
Max Leske is not a security expert per se. And maybe that’s exactly what makes him such an important CRS core team member. Max is perhaps the most global member of the team: after a brief detour to the other side of the globe, the Berlin native grew up in the Swiss mountains. In everything he does – and he does a lot – he attaches great importance to having fun. For him, the most important thing about the CRS project is the people.
Whether it’s work or sports – he just wants to enjoy what he’s doing: Max Leske aka theseion
We are excited to announce Swiss IT security specialist United Security Providers (USP) as new Gold Sponsor of OWASP CRS. As a software manufacturer and specialist for application and network security products, USP has been using CRS for a long time: it is an important component of the company’s commercial web access management solution.
“With their enhancements and bug fixes, our developers contribute to the further development of the project and thus give something back to the community,” emphasizes Christoph Koch, CEO at USP. “An even closer exchange between our software developers and the CRS project team is equally beneficial for both sides. The CRS benefits from the experience of our developers in customer contact and we can pass on the power of the open-source community to our customers. In this way, we complement each other.” For USP, supporting the CRS project underlines its strategic importance in maintaining the quality and security of its own products at the highest level.
We have recently released version 4.6.0 for CRS 4, fixing a serious problem. As this problem affects CRS 3 as well, we also did a backport release for v3. (3.3.6). All users are requested to update to the new releases.
The new releases tackle two multipart file upload bypass methods that were reported by @luelueking:
Wrapping the Content-Disposition with non-printable characters like \x0e (e.g. “%0e Content-Disposition %0e”) may allow the header to go undetected by the WAF engine as it may not be correctly parsed.
Inserting the character \ in a filename (e.g. “1.j\s\p”) may let the filename go undetected.
The fixes introduced in both versions are the same:
The 2024 OWASP Waspy Awards winners are here – and CRS co-leader Felipe Zipitría has been awarded “Project Person of the Year”! This win is a well-earned confirmation for Felipe’s hard work for the CRS project and the open-source community in general.
The purpose of the WASPY Awards is to bring recognition to those individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized. Individual members of the OWASP Foundation were invited to vote by e-mail.
Further winners of a WASPY are Martin Knobloch (Chapter Person of the Year) and Shruti Kulkarni (Event Person of the Year).
We had previously announced the date and the location of our 2024 community summit. But it’s about time to start the formal registration so we can finalize our planning.
We’re meeting in the on Wednesday June 26 at the Hyatt Regency for the 2024 CRS Community Summit. This is right next to the Lisbon Conference Center where the OWASP AppSec conference is happening Thursday and Friday.
Programming and entrepreneurship run in Jozef Sudolsky’s family. When he’s not working for his own web hosting company or for the CRS project, you can find him working out at the gym or in his large garden - or just playing with his daughter. His office is at the same time his daughter’s playroom.
His own company, his daughter, four cats, a house, a large garden, and the CRS project keep him busy: Jozef Sudolsky aka azurit
The CRS project will once again hold its Community Summit the day before OWASP’s Global AppSec Conference – this year in the capital of Portugal.
The whole CRS community – users, developers, integrators, and sponsors – is invited to meet on Wednesday, June 26 for an exchange of thoughts, technical talks, and networking.
The program is still in the making. We plan a variety of talks about CRS 4, ModSecurity and Coraza. The following items will be part of the summit program:
