Are you interested in hanging out with the CRS developers? Giving your input on CRS development issues? Chatting about the wonderful world of WAFs? Then this is your chance! At OWASP AppSecEU 2018, we have started the #coreruleset channel in the OWASP Slack. This has turned out to be a good place for exchanging ideas and working together in real time. So, we’ve settled in and we invite anyone to join us there.
We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project. The most important news is the publication of the release candidate 1 for CRS 3.1. What has happened in recent weeks CRS 3.1 RC1 has been released. The most important changes: Protections against common Java attacks Support for blocking in one paranoia level while logging in a higher level. More pre-made exclusion packs for popular web applications Reconstructed and improved SQL injections protections Various bug fixes and optimizations Announcement: http://web.archive.org/web/20230830054004/https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2018-September/002586 Download: https://github.com/coreruleset/coreruleset/releases/tag/v3.1.0-rc1 The development has been moved to the 3.2/dev branch, some changes will be backported to 3.1. Link: https://github.com/coreruleset/coreruleset Interview with CRS project co-lead Christian Folini on the AppSec podcast Link: https://coreruleset.org/20180809/appsec-podcast-interviewing-crs-project-co-lead-christian-folini/ Webinar on ModSecurity and CRS3 with Owen Garett, Head of Products at NGINX: The webinar covered installation of ModSec3 and CRS3, but also integration and tuning for false positives and performance. It can be watched on demand after registration (link no longer available) There is a missing feature in ModSecurity 3.0.x that makes it choke on the upcoming CRS 3.1 release. There is an official patch available and the development tree of ModSecurity has the fix. But Trustwave has not yet released the ModSecurity with the fix anew. This may mean that users of the officially release ModSecurity 3 software will fail to run CRS 3.1 after our release. Link: https://github.com/SpiderLabs/ModSecurity/issues/1797 Maxmind, the company behind the popular GeoIP database used by ModSecurity ceased to release the legacy format of the database. ModSec 2.9 only supports this legacy version, so users are in a bad position. CRS developer Christoph Hansen posted on the ModSec mailinglist he was able to transpose the new GeoIP database into the old format so he could continue to use it. A blog post is in the making. Link: https://github.com/SpiderLabs/ModSecurity/issues/1727#issuecomment-423612546 The OWASP slack changed the place to get invites. If you want to join us, please get in touch via mail and we’ll send you the link. OWASP says the are overhauling the setup. Significant pull requests that were merged Development has been shifted to the new 3.2 branch, that has been declared master Walter Hop contributed 2 new strings to the list of Java Struts namespaces for use in the new 944130 rule Link: https://github.com/coreruleset/coreruleset/pull/1177 Other than that, everybody is waiting for new issues popping up with the 3.1-RC release but it has been quiet on that front so far. Things that are meant to happen in the coming weeks We plan to release CRS 3.1 in October unless we see any road blockers. There is a strange bug that a PL2 rule among the new Java rules in CRS 3.1-RC1 triggers. If it is a bug, it’s rather a ModSecurity bug, but it’s completely unclear how this is happening as reproduction has been very cumbersome so far. What is clear it happens in connection with chunked transfer encoding of JSON payloads at PL2 and higher. So it is a rather peculiar situation that is relatively rare. Link: https://github.com/coreruleset/coreruleset/issues/1185 Important pull requests in the queue Victor Hora discovered typos in CRS variable names and a discussion about streamlining lower- and uppercase variable names evolved. Link: https://github.com/coreruleset/coreruleset/pull/1187 Franziska Bühler has fixed a relatively annoying bug in the docker image of CRS. Link: https://github.com/coreruleset/coreruleset/pull/1168 TheMiddleBlue suggests to add additional PHP wrappers to our data file. Link: https://github.com/coreruleset/coreruleset/pull/1172
This is a guest piece by Jamie Riden / @pedantic_hacker. Jamie has been doing penetration tests, secure development training and security code review since 2010 - and other kinds of computer-wrangling for much, much longer. Having been a systems engineer, a coder and now a pen-tester, I’d like to take a brief moment of your time to talk about layered defenses; specifically in this case why running a web application firewall is a good idea. In my current job I get engaged to do various forms of pen-testing. Relatively often, we turn up something in a web application that could have been prevented in a couple of ways. Last week for example, I found a lovely old-school OS command injection bug in a single parameter of a reasonable-sized website.
This article explores how to use an uninitialized Bash variable to bypass WAF regular expression based filters and pattern matching. Let’s see how it can be done on CloudFlare WAF and ModSecurity OWASP CRS3.
Chris Romeo from the AppSec Podcast did an interview with our own Christian Folini during the AppSecEU conference in July. The 25min interview has been published lately. The interview discusses the project itself, the upcoming 3.1 release, plans to expand beyond ModSecurity and CRS fits into agile development. Here is the link to the interview: https://www.securityjourney.com/blog/crs-and-an-abstraction-layer-s04e02/
We are launching the monthly news anew. The idea is to look beyond the pure CRS development again and to bring you additional information that touch on our project. As the editor, I (-> Christian Folini) am planning to release this in the first half of the month. This did not work in July, though, but I have a very cute excuse: She’s called Giovanna and she is only a couple of days old. We’re going to be a bit earlier in August, but also less news apparently.
This is a brief coverage of the CRS Community Summit during AppSecEU in London last week. Over 25 people followed our call for this first face to face meeting of the CRS developer team (6 of 10 developers with commit rights in the same room!) and the community. We have been very happy to have several end users, Trustwave representing the ModSecurity development, but also some of the big integrators in the room. There was AviNetworks, BitSensor, cPanel, Fastly, Kemp, Microsoft, NGINX, Verizon, etc. Finally also researchers and a representative from KISA, the Korean Internet Security Agency, and Ivan Ristić, original developer of ModSecurity for old times sake.
The very first meetup of the CRS community is only one week away now and it’s time to announce our program. As stated here on the blog before, this is meant as an opportunity to build ties, to get inspiration from the community and to understand what people are doing with CRS. So there are going to be talks, but there is a lot of room for talking and discussion. So we are going to do a networking / poster session that lives on your contributions. You are invited to bring along a poster, put it up on the wall in our room and we will give you time to present it to our audience. We are interested in use cases, success stories or unique approaches to integrating CRS3. Also ideas and pitches for new projects within our community are welcome. Standard flipchart format. Please be aware you should bring it along in physical form: we can’t print it on site. But we will have tape available for you.
A Web Application Firewall (WAF) raises concerns that it does not fit into the DevOps methodology. The problem is that when a WAF is added to production, the impact on the application is tested too late. The application developer gets extremely late feedback and the WAF could break the application. This can lead to production issues. But what if a WAF is involved in the DevOps process very early on and not just at the end, at production?
The organisation of the CRS community summit at the OWASP AppSecEU conference is coming along nicely. Remember, we are going to meet in London on Wednesday, July 4 at 4pm, to talk about CRS, and about the way our users, our integrators and their users work with CRS. The program will include information about CRS 3.1, a recent proposal for a rule meta language above CRS (to give the rule set a wider audience) and the most important thing: Time to meet and talk to fellow users!