Blogs

CRS Project News October 2017

October 3, 2017 By Chaim Sanders

This is the CRS newsletter covering the period from Early September until today.

We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants:

  • dune73
  • fzipi
  • csanders
  • franbuehler
  • lifeforms
  • emphazer
  • fgs
  • squared
  • spartantri
  • ossie
  • buddyleer

During the chat we discussed the following

  • We will be moving our agenda document to GitHub. In this way all active participants will be easily able to add comments and tag PR’s in an efficient manner. We’ll open the “Agenda Issue” one week before out next meeting.
  • There has been a bottleneck in terms of reviews. In order to address this we’ll be assigning responsible contributors to oversee the smooth flow of issues through the PR process. These contributors will be assigned at monthly meetings. Additionally, in order to give more timely feedback we are encouraging the system of using Github’s reaction system.
  • A number of PR’s were given responsible overseers:
    • #899: Dune73
    • #905: lifeforms: Should be a quick merge
    • #896: lifeforms
    • #894: Merged
    • #890: Dune73 and lifeforms
    • #887: Dune73
    • #883: csanders and franbuehler
    • #907 franbuehler, emphazer and lifeforms
    • #881: lifeforms
    • #879: lifeforms: should be a quick merge
    • #871: Closed: Changes only applied to 3.1
  • Some recognition was given to franbuehler for a whopping PR on the disassembly of SQLi rules (PR #907)
  • We are 13% done with the technical milestone work for CRS 3.1. However given the amount of contributed PR’s we will likely release prior to all that work being completed.
  • There is interest in starting a project to measure rule performance automatically as part of acceptance testing. This will be undertaken soon.
  • Verizon Digital Media Services graciously offered to host coreruleset.org behind their CDN. While we don’t have a tremendous amount of users, we are going to test out the functionality

The next community chats will be held on the following dates:

CRS Project Nominated for Swiss DINACon Award

October 3, 2017 By Christian Folini (netnea)

The Core Rule Set project (CRS for short) has been nominated for the Swiss DINAcon Awards. I do not think any of you understand what awards I am talking about, so let me explain.

It is hard to promote Open Source Software in Switzerland. This is not necessarily different from any other place, but let’s say there are strong commercial players that effectively block market entry for many open source software projects around here (Christian Folini / @ChrFolini writing this).

OptionsBleed Defenses

September 20, 2017 By Chaim Sanders

This week we saw the release of another named vulnerability (-_-). This time it was entitled: Optionsbleed. While the name provided is meant in reference to Heartbleed, this vulnerability isn’t nearly as far reaching. The vulnerability only affected Apache hosts with a very particular configuration and as a result only 0.0466% of the Alexa top one million sites were detected as vulnerable. Additionally, considering the requirements for exposing the vulnerability is dependent on a complex and unusual configuration it is less likely to be seen on less popular pages that tend to stick more closely to stock configuration.

Writing FTW test cases for OWASP CRS

September 15, 2017 By Chaim Sanders

A little background

Last month we announced the general availability of the Framework for Testing WAFs (FTW) version 1.0. You can read the whole post here, but this is only the beginning of the story. With the release of OWASP CRS v3.0 we started integrating a more agile, test driven development methodology that we believe has resulted in better quality output.

As of the OWASP CRS 3.0 release, all new rules and most modifications to the rules undertaken will require accompanying unit tests. But how does one use the FTW framework in order to write these tests?

How You Can Help the CRS Project

September 13, 2017 By Christian Folini (netnea)

When I looked into my inbox lately, I found a very kind message where a new user asked how he could support the project. He had listened to a clip on the OWASP 24/7 podcast, got really excited and was now installing CRS3.

I responded with a fairly lengthy message covering all the areas where I think his support would be welcome if not vital. On a second thought, there might be more people who are wondering how to join us, so why not publishing my response if it is of such a general nature.

CRS Project News September 2017

September 7, 2017 By Christian Folini (netnea)

This is the CRS newsletter covering the period from mid August until today.

What has happened during the last few weeks:

  • We held our community chat last Monday. Chaim was high in the air so we were only six of us, but Manuel was back so I get the feeling we are slowly growing the project. The big project administration and governance discussions seem to be over for the moment. So we spent a lot of time talking about development, possible roadblocks and code policies.
    The next community chats will be held on the following dates:

Running CRS rules only on certain parameters

August 21, 2017 By Kirk Jackson

Hi, I’m a newcomer to the ModSecurity community and am currently learning about how ModSecurity works with the Core Rule Set and can be used to perform “Virtual Patches” against vulnerable web applications. I have learnt lots reading the rules in the CRS and reading the ModSecurity Handbook written by Christian Folini and Ivan Ristić.

The OWASP ModSecurity Core Rule Set has a lot of protections for common web attacks built in, and is tuned to cause a minimum of false alerts. Use the guidance in the documentation, a high anomaly score threshold, a low paranoia level setting and you’re unlikely to have legitimate traffic blocked when you first install and set up ModSecurity with the CRS.

CRS Project News August 2017

August 15, 2017 By Christian Folini (netnea)

This is the CRS newsletter covering the period from July until today.

What has happened during the last few weeks:

    • We held our community chat last Monday. We have been eight people including Manuel Spartan who participated on the development of the paranoia mode.
      The big topic was disassembly of the optimized regular expressions that are very hard to read. See below for details.
      The next community chats will be held on the following dates:
      - Sep 4, 2017, 20:30 CEST (14:30 EST, 19:30 GMT)
      - Oct 2, 2017, 20:30 CEST
      - Nov 6, 2017, 20:30 CET
      - Dec 4, 2017, 20:30 CET
      • The OWASP ModSecurity Core Rule Set 3.0.2 is still the latest stable version. We talked about an eventual 3.1 version in the chat, but we agreed that we are far from that and that we want to add a substantial set of new features to make transition worthwhile for users.
      • ModSecurity 2.9.2 came out on July 19. Among several bugfixes, it brings an updated libinjection support that helped CRS close a few holes. See this CRS issue for an example:
        https://github.com/coreruleset/coreruleset/issues/797
        We recommend all users to update to 2.9.2. AFAICS there are no backported packages for the major distros yet, so this is only viable for those users compiling themselves.
      • Summer holidays are taking their toll and we are quite behind with the inclusion of pull requests. This brings us to a very high number of 10 open pull requests. Most of them have been reviewed, but they have not yet been incorporated.
      • A PR that is still in preparation, but almost done is a big disassembly of over 2 dozens of the complex regular expressions that are so hard to read in the CRS. Look at this beauty for example:
        https://github.com/coreruleset/coreruleset/blob/v3.0/master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L589
        The point is these rules are very old, they are machine generated with the help of an ancient perl module optimizing regular expressions for performance and the sources / original regular expressions are long gone. To add to the problem, some of the rules have been edited by hand afterwards so there is just no telling what they really do. It takes a rule archaeologist to reconstruct the original sources. Franziska Bühler took over this task and it seems she got to the bottom of all the complex SQLi regexes within a couple of weeks.
        The idea is now a PR to add the sources to util/regexp-assemble. This would then allow us to consolidate / optimize the regular expressions.
      • Believe it or not: We got the new logo for the project. As we kind of expected it took longer than expected, but it’s done now and it sure looks cool. Expect a separate announcement very soon.
        This also holds true for the website which is ready and only waits for the logo for the real announcement.
      • OWASP London invited me to present my CRS3 intro presentation that I held in Belfast for AppSecEU. This took place on July 27 and according to the audience it was a big success. Here are a few photos taken after the presentation when I signed the new ModSecurity Handbook and then in the pub nearby:

Upcoming Stuff

  • OWASP Switzerland is also hosting CRS introduction talk. This is happening on Wednesday, August 16 in Zurich at 6pm.
    Here are the details:
    https://www.meetup.com/de-DE/OWASPSwitzerland/events/241771446/
  • There are still a few seats available for the Apache / ModSecurity / CRS courses in October. One in London, one in Zurich.
    https://www.feistyduck.com/training/modsecurity-training-course
  • There is now a plan to run a real poll where CRS users can vote on feature requests. There are a ton of feature requests recorded on github, but we really are a bit at a loss on what people are really interested in. Stay tuned to learn more about this.

I have been on a holiday for two weeks and it is likely, I overlooked things on the mailinglists and on github. Feel free to speak up and respond to this message highlighting the omissions.

Testing WAFs, FTW Version 1.0 released

August 10, 2017 By Chaim Sanders

The OWASP Project maintains an open source set of rules known as the the OWASP Core Rule Set (CRS). The CRS implements protections for the well known, broad classes of web application vulnerabilities identified by OWASP. Over time, this set of rules has become the most popular ruleset for ModSecurity and also found its way into many other popular WAFs.

During this same timeframe we have seen Quality Assurance (QA)/DevOps techniques adjust to new Agile development methodologies. To a large extent this Agile pattern matches the historical development practices of CRS. As a result, during the development of the latest CRS version 3.0, the development team decided that a serious overhaul of the regression/unit tests was overdue. While some existing Perl regression tests existed, these were incomplete and considered difficult for the average user to run. The CRS development team also concluded that a more refined testing methodology commits to a higher quality product and allows for a demonstration of the effectiveness of OWASP CRS compared to many other rule sets and WAFs.

ModSecurity version 2.9.2 released

August 10, 2017 By Walter Hop

Trustwave has released ModSecurity version 2.9.2.

This is an important update for users of the Core Rule Set. To detect SQL and XSS injections, CRS relies in part on the libinjection library by Nick Galbreath. This library is bundled with ModSecurity. It is regularly updated to address new types of injections. Therefore, to have optimal protection against SQL and XSS injections, you should always keep ModSecurity updated.

The update also fixes two security vulnerabilities and contains various other improvements.