December 12, 2017
By
Chaim Sanders
This is the CRS newsletter covering the period from Early November until today.
We held our monthly community chat. We had quite a few people stop by. Special thanks to lifeforms for leading the chat.
lifeforms emphazer franbuehler spartantri fzipi hamlet_ Our agenda from before the chat is available here. We had a short chat, during the chat we discussed the following:
@dune73 will be attending German Open Source Business Awards. Chances look good that CRS will a top performer. More information can be found here Using t:lowercase versus (?i) performance and best practice. There is currently no definitive answer A benchmark can be done using ModSecurity debug logs @spartantri will reach out to contacts to determine best approach for measuring and update us next meeting. There are an excessive amount of open PRs and Issues All but three PRs have been assigned reviewers, we have to make a dent this month. The Java rules, that are a key feature of 3.1 need some attention The older versions are available here: https://github.com/coreruleset/coreruleset/blob/95e7e6b3982eca93989c7948faca4a961737eace/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf A new ticket will be opened taking into account discussions from https://github.com/coreruleset/coreruleset/pull/881/files Badging We may remove the gitter badge because we don’t feel big enough for two chats and IRC is preferred (more discussion next chat) We should investigate other functional badges using https://github.com/OWASP/github-template as an example. General question about determine if it is possible to determine if user is accessing via HOSTS file. It is not Travis and FTW PRs assigned to csanders #957 rule split Move part to PL3 to prevent JSON false positives PR #896 awaiting fgs update on the PR we think if the comments were taken into account it would be a quick and nice merge, but for now it’s stalled Fzipi resolved the conflict 896 resolving the conflict on this one The next community chats will be held on the following dates:
December 7, 2017
By
Christian Folini
(netnea)
The OWASP ModSecurity Core Rule Set Project is very excited about winning one of the OSBAR awards of the German Open Source Business Alliance. The prize is awarded to projects, start-ups and outstanding ideas from the open source environment. The increased attention should make it easier for the award winners to attract users, developers and supporters.
CRS hackers Christian Folini and Franziska Bühler with the OSBAR award trophy (photo Fridolin Zurlinden)
December 7, 2017
By
Christian Folini
(netnea)
Feisty Duck announced two new ModSecurity / Core Rule Set courses:
Zurich, February 19/20, 2018 Frankfurt, March 5/6, 2018 Additional trainings in Spring are likely to happen in Geneva and Amsterdam (on popular request).
Additionally, teacher Christian Folini, will also be holding a ModSecurity on NGINX Webinar with O’Reilly on January 9. The subscription is no yet online, but will be announced shortly (I plan to update this blog post with the link as soon as it is available).
November 21, 2017
By
Christian Folini
(netnea)
The new edition OWASP Top Ten list mentions ModSecurity and the OWASP ModSecurity Core Rule Set for the first time.
Let me explain you what the Core Rule Set does and how it can help you protect your services from these risks.
The CRS - short for OWASP ModSecurity Core Rule Set - is a set of generic attack detection rules. They are meant for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks with a minimum of false alerts. The Core Rule Set is thus meant as a 1st line of defense against web application attacks as described by the OWASP Top Ten.
November 9, 2017
By
Franziska Buehler
Introduction I would like to explain my work disassembling highly optimized regular expressions. A project like this might discourage many people, but to me, it is very exciting work! I like this kind of investigative work and want to explain what, exactly, I did, why I did it and how!
What’s the problem? The SQLi rules in the core rule set consist of 43 rules. 25 of them have been optimized with the Perl module Regexp::Assemble. This module assembles multiple regular expressions into one regular expression.
The source patterns were lost over the years as they were taken from the old CRS project and partly from other projects, and source code management migrations led to the situation we are facing now.
Unfortunately, there is no tool for disassembling an optimized regex, so we did not have a chance to undo this optimization process and regain the original patterns.
November 7, 2017
By
Chaim Sanders
This is the CRS newsletter covering the period from Early October until today.
We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants:
dune73 fzipi csanders franbuehler emphazer spartantri luketheduke techair jose_ airween athmane bostrt During the chat we discussed the following
Promotion of 3 heavy contributors to developers (@fgsch, @fzipi and @spartantri) Docs will be updated to reflect their promotion, congrats and thank you!!! CRS Summit at AppSecEU in June in Tel Aviv (?) dune73 will setup a project and let us know the status as we move along. fzipi spoke at OWASP Dev Summit about WAF test data. A new license is available (https://cdla.io/) Testing (FTW is working when using with CRS-support/ftw#14) PR is awaiting merge but seems to be working well. dune73 plans to write a blog. Idea to update release poster (with logo in the center) We had some great press about the poster. Need to check balance but Dune73 will finance privately changes. Shooting for by AppSecEU Idea to start to sell the release poster via a printing service like Redbubble Info: CRS nominated for the German Open Source Business award (https://osbar.it) Everyone is excited thank you to Dune73 for nominating us Plans for new blog posts Franbuehler writing up about SQL disassembly dune73 writing about FTW csanders-git writing about Apache vulnerability breakdown. [PR #881] : Java Attacks Will be assigned to csanders-git [PR #884] : SQL injection probing rule split 942370 emphazer is working on a PR for this so it’s in line with franbuelers comments. [PR #896] : Command substitution backquoted version support Splitting into two and fixing conflict when available. [PR #899] : Dokuwiki and Nextcloud exclusion packages (work in progress) Will be done when submitter has time. [PR #905] : Duplicated header bypass fix and chunk support csanders-git and fzipi are going to take the helm on getting this one through. [PR #922] : New developers (see above) Merged, need to add other testers also. remove spratantri from 905 as contributor Many PRs / test updates by @azhao155 (which are awesome). Bring up a question about what to do with Apache versus Nginx behaviors when the underlying engine ‘fixes’ and issue. Going to add support for multiple return status. This should take care of all the test updates. [Issue #924] Tagging of CVE/CWE The conversation centered around the if adding these added increased complexity of writing rules it may also muddy logs Everyone agreed additional information would be nice, CVE CWE, WASC, CAPEC Pushed the conversation back to the issue with regard to CVE. Release 3.1 planning Possible after Java fixes are done. Stickers and maybe shirts (for appsec eu) using Redbubble New ModSecv3 t-shirt were made, current order is empty but more may be coming The next community chats will be held on the following dates:
October 3, 2017
By
Chaim Sanders
This is the CRS newsletter covering the period from Early September until today.
We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants:
dune73 fzipi csanders franbuehler lifeforms emphazer fgs squared spartantri ossie buddyleer During the chat we discussed the following
We will be moving our agenda document to GitHub. In this way all active participants will be easily able to add comments and tag PR’s in an efficient manner. We’ll open the “Agenda Issue” one week before out next meeting. There has been a bottleneck in terms of reviews. In order to address this we’ll be assigning responsible contributors to oversee the smooth flow of issues through the PR process. These contributors will be assigned at monthly meetings. Additionally, in order to give more timely feedback we are encouraging the system of using Github’s reaction system. A number of PR’s were given responsible overseers: #899: Dune73 #905: lifeforms: Should be a quick merge #896: lifeforms #894: Merged #890: Dune73 and lifeforms #887: Dune73 #883: csanders and franbuehler #907 franbuehler, emphazer and lifeforms #881: lifeforms #879: lifeforms: should be a quick merge #871: Closed: Changes only applied to 3.1 Some recognition was given to franbuehler for a whopping PR on the disassembly of SQLi rules (PR #907) We are 13% done with the technical milestone work for CRS 3.1. However given the amount of contributed PR’s we will likely release prior to all that work being completed. There is interest in starting a project to measure rule performance automatically as part of acceptance testing. This will be undertaken soon. Verizon Digital Media Services graciously offered to host coreruleset.org behind their CDN. While we don’t have a tremendous amount of users, we are going to test out the functionality The next community chats will be held on the following dates:
October 3, 2017
By
Christian Folini
(netnea)
The Core Rule Set project (CRS for short) has been nominated for the Swiss DINAcon Awards. I do not think any of you understand what awards I am talking about, so let me explain.
It is hard to promote Open Source Software in Switzerland. This is not necessarily different from any other place, but let’s say there are strong commercial players that effectively block market entry for many open source software projects around here (Christian Folini / @ChrFolini writing this).
September 20, 2017
By
Chaim Sanders
This week we saw the release of another named vulnerability (-_-). This time it was entitled: Optionsbleed. While the name provided is meant in reference to Heartbleed, this vulnerability isn’t nearly as far reaching. The vulnerability only affected Apache hosts with a very particular configuration and as a result only 0.0466% of the Alexa top one million sites were detected as vulnerable. Additionally, considering the requirements for exposing the vulnerability is dependent on a complex and unusual configuration it is less likely to be seen on less popular pages that tend to stick more closely to stock configuration.
September 15, 2017
By
Chaim Sanders
A little background Last month we announced the general availability of the Framework for Testing WAFs (FTW) version 1.0. You can read the whole post here, but this is only the beginning of the story. With the release of OWASP CRS v3.0 we started integrating a more agile, test driven development methodology that we believe has resulted in better quality output.
As of the OWASP CRS 3.0 release, all new rules and most modifications to the rules undertaken will require accompanying unit tests. But how does one use the FTW framework in order to write these tests?
