Blogs

Practical FTW: Testing the Core Rule Set or Any Other WAF

Back in August and September, Chaim Sanders introduced FTW, a Framework to Test WAFs via two blost posts. Existing unit testing frameworks are not really suitable for this purpose as they do not grant you enough control over the requests and the ability to look at the WAF log that needs to be bolted on. Chaim teamed with Zack Allen and Christian Peron from Fastly to create this. So FTW was developed with exactly our use case in mind.

CRS Project News December 2017

This is the CRS newsletter covering the period from Early November until today. We held our monthly community chat. We had quite a few people stop by. Special thanks to lifeforms for leading the chat. lifeforms emphazer franbuehler spartantri fzipi hamlet_ Our agenda from before the chat is available here. We had a short chat, during the chat we discussed the following: @dune73 will be attending German Open Source Business Awards.

Core Rule Set Project Won a German OSBAR Award!

The OWASP ModSecurity Core Rule Set Project is very excited about winning one of the OSBAR awards of the German Open Source Business Alliance. The prize is awarded to projects, start-ups and outstanding ideas from the open source environment. The increased attention should make it easier for the award winners to attract users, developers and supporters. CRS hackers Christian Folini and Franziska Bühler with the OSBAR award trophy (photo Fridolin Zurlinden)

New ModSecurity / CRS Courses Announced

Feisty Duck announced two new ModSecurity / Core Rule Set courses: Zurich, February 19/20, 2018 Frankfurt, March 5/6, 2018 Additional trainings in Spring are likely to happen in Geneva and Amsterdam (on popular request). Additionally, teacher Christian Folini, will also be holding a ModSecurity on NGINX Webinar with O’Reilly on January 9. The subscription is no yet online, but will be announced shortly (I plan to update this blog post with the link as soon as it is available).

The Top 5 Ways CRS Can Help You Fight the OWASP Top 10

The new edition OWASP Top Ten list mentions ModSecurity and the OWASP ModSecurity Core Rule Set for the first time. Let me explain you what the Core Rule Set does and how it can help you protect your services from these risks. The CRS - short for OWASP ModSecurity Core Rule Set - is a set of generic attack detection rules. They are meant for use with ModSecurity or compatible web application firewalls.

Disassembling SQLi Rules

Introduction I would like to explain my work disassembling highly optimized regular expressions. A project like this might discourage many people, but to me, it is very exciting work! I like this kind of investigative work and want to explain what, exactly, I did, why I did it and how! What’s the problem? The SQLi rules in the core rule set consist of 43 rules. 25 of them have been optimized with the Perl module Regexp::Assemble.

CRS Project News November

This is the CRS newsletter covering the period from Early October until today. We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants: dune73 fzipi csanders franbuehler emphazer spartantri luketheduke techair jose_ airween athmane bostrt During the chat we discussed the following Promotion of 3 heavy contributors to developers (@fgsch, @fzipi and @spartantri) Docs will be updated to reflect their promotion, congrats and thank you!

CRS Project News October 2017

This is the CRS newsletter covering the period from Early September until today. We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants: dune73 fzipi csanders franbuehler lifeforms emphazer fgs squared spartantri ossie buddyleer During the chat we discussed the following We will be moving our agenda document to GitHub. In this way all active participants will be easily able to add comments and tag PR’s in an efficient manner.

CRS Project Nominated for Swiss DINACon Award

The Core Rule Set project (CRS for short) has been nominated for the Swiss DINAcon Awards. I do not think any of you understand what awards I am talking about, so let me explain. It is hard to promote Open Source Software in Switzerland. This is not necessarily different from any other place, but let’s say there are strong commercial players that effectively block market entry for many open source software projects around here (Christian Folini / @ChrFolini writing this).

OptionsBleed Defenses

This week we saw the release of another named vulnerability (-_-). This time it was entitled: Optionsbleed. While the name provided is meant in reference to Heartbleed, this vulnerability isn’t nearly as far reaching. The vulnerability only affected Apache hosts with a very particular configuration and as a result only 0.0466% of the Alexa top one million sites were detected as vulnerable. Additionally, considering the requirements for exposing the vulnerability is dependent on a complex and unusual configuration it is less likely to be seen on less popular pages that tend to stick more closely to stock configuration.