Blogs

Writing FTW test cases for OWASP CRS

A little background Last month we announced the general availability of the Framework for Testing WAFs (FTW) version 1.0. You can read the whole post here, but this is only the beginning of the story. With the release of OWASP CRS v3.0 we started integrating a more agile, test driven development methodology that we believe has resulted in better quality output. As of the OWASP CRS 3.0 release, all new rules and most modifications to the rules undertaken will require accompanying unit tests.

How You Can Help the CRS Project

When I looked into my inbox lately, I found a very kind message where a new user asked how he could support the project. He had listened to a clip on the OWASP 24/7 podcast, got really excited and was now installing CRS3. I responded with a fairly lengthy message covering all the areas where I think his support would be welcome if not vital. On a second thought, there might be more people who are wondering how to join us, so why not publishing my response if it is of such a general nature.

CRS Project News September 2017

This is the CRS newsletter covering the period from mid August until today. What has happened during the last few weeks: We held our community chat last Monday. Chaim was high in the air so we were only six of us, but Manuel was back so I get the feeling we are slowly growing the project. The big project administration and governance discussions seem to be over for the moment. So we spent a lot of time talking about development, possible roadblocks and code policies.

Running CRS rules only on certain parameters

Hi, I’m a newcomer to the ModSecurity community and am currently learning about how ModSecurity works with the Core Rule Set and can be used to perform “Virtual Patches” against vulnerable web applications. I have learnt lots reading the rules in the CRS and reading the ModSecurity Handbook written by Christian Folini and Ivan Ristić. The OWASP ModSecurity Core Rule Set has a lot of protections for common web attacks built in, and is tuned to cause a minimum of false alerts.

CRS Project News August 2017

This is the CRS newsletter covering the period from July until today. What has happened during the last few weeks: We held our community chat last Monday. We have been eight people including Manuel Spartan who participated on the development of the paranoia mode. The big topic was disassembly of the optimized regular expressions that are very hard to read. See below for details. The next community chats will be held on the following dates:

Testing WAFs, FTW Version 1.0 released

The OWASP Project maintains an open source set of rules known as the the OWASP Core Rule Set (CRS). The CRS implements protections for the well known, broad classes of web application vulnerabilities identified by OWASP. Over time, this set of rules has become the most popular ruleset for ModSecurity and also found its way into many other popular WAFs. During this same timeframe we have seen Quality Assurance (QA)/DevOps techniques adjust to new Agile development methodologies.

ModSecurity version 2.9.2 released

Trustwave has released ModSecurity version 2.9.2. This is an important update for users of the Core Rule Set. To detect SQL and XSS injections, CRS relies in part on the libinjection library by Nick Galbreath. This library is bundled with ModSecurity. It is regularly updated to address new types of injections. Therefore, to have optimal protection against SQL and XSS injections, you should always keep ModSecurity updated. The update also fixes two security vulnerabilities and contains various other improvements.

CRS3 presentation at OWASP London

OWASP London informed me that my CRS3 presentation will be live-streamed on the OWASP London Facebook page. My talk will begin around 8pm UK time. The presentation will be very similar to the one I held at AppSecEU in Belfast, but this time, we have a backup plan for the installation demo which failed due to beamer issues back in May. A record of the stream will be available on YouTube afterwards, likely the OWASP London channel.