February 14, 2024
By
Alessandro Monachesi
What a Valentine’s Day present we have got for you: today, the Core Rule Set project is releasing CRS 4!
Finally, you may say – and would be absolutely right: it took us a long time to get there. But we wanted to do it right, especially after the bug bounty program we took part in left us with over 500 individual findings in roughly 180 reports. Fixing all these needed more time than we originally thought.
January 15, 2024
By
Christian Folini
(netnea)
With the new year comes good news: last week, Trustwave and the OWASP Foundation have announced the agreement to transfer ModSecurity to OWASP. The transition will commence on January 25. The incubation phase of the new OWASP ModSecurity project will focus on the establishment of a development community to lay the basis for a successful continuation of the project under the new stewardship. This entails the three areas: communication, administration and development.
January 11, 2024
By
Alessandro Monachesi
We are proud to present Swiss Post as new silver sponsor for the OWASP ModSecurity Core Rule Set. Swiss Post is one of the longest-standing and best-known brands in Switzerland since its establishment in 1849. The company uses many open-source solutions for development and operation and in turn supports the community where possible. Ties between Swiss Post and the CRS project team have traditionally been strong with different core team members having worked for the premier Swiss provider of mail and logistics services.
November 30, 2023
By
Alessandro Monachesi
As a South American, Felipe Zipitría has a special status in the CRS core team. The sociable Uruguayan played basketball which taught him all about the value of teamwork. Automation and standardization are key issues for Felipe in the CRS project. “The CRS project offers exciting problems that can make any techie happy”, he says. Our man in South America: Felipe Zipitría enjoys the views of Budpest at the CRS Developer Retreat 2023
November 28, 2023
By
Alessandro Monachesi
After the lofty ideas of Sunday (keyword: universe domination), things got a little more down-to-earth on Monday. After the participants had split up into the four projects, work began on them. Things got more exciting again in the afternoon when the next steps and the project roadmap were discussed.
Two results from the intensive discussion about the long-term development of the project should be mentioned here in particular: Firstly, in order to not being restricted by the SecRule language the project decided to slowly start preparing an alternative structured format for a rule language.
November 9, 2023
By
Alessandro Monachesi
When invited to join the Core Rule Set project, Andrew Howe felt a bit intimidated by the highly talented team at first. Today he is a valued member of the CRS core team, bringing his experience as a technical writer and a CRS integrator. “Having people onboard with experience of running CRS at a large-scale would be very useful,” he says. What else he said, you can read in this interview.
November 5, 2023
By
Alessandro Monachesi
It’s hard to believe that it’s already been another year since the last OWASP ModSecurity Core Rule Set Developer Retreat in Varese near Milan in northern Italy. This year, the core team is meeting in the Hungarian capital Budapest from November 5th to 12th. The team members travelled from all directions – some got up inhumanly early, others flew across the Atlantic and still others had been travelling by train for two days … but not even the Deutsche Bahn could prevent all registered participants from arriving at the Hotel Nádas Pihenőpark by late afternoon on Sunday.
October 26, 2023
By
Andrew Howe
The OWASP ModSecurity Core Rule Set (CRS) team is proud to announce the availability of release candidate 2 (RC2) of the upcoming CRS v4.0.0 release. The release candidate is available for download as a ‘release’ from our GitHub repository:
https://github.com/coreruleset/coreruleset/releases/tag/v4.0.0-rc2 This new release candidate includes over 230 changes. Some of the important changes include:
Add new rule 920620 to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (Andrea Menin) Extend definition of restricted headers to include Content-Encoding and Accept-Charset by default (Walter Hop) Migrate application exclusions and less-used functionality to plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) Add support for HTTP/3 (Jozef Sudolský) Add enable_default_collections flag to not initialize collections by default (Matteo Pace) Switch to using wordnet instead of spell for finding English words in spell.
September 21, 2023
By
Alessandro Monachesi
This year, the OWASP ModSecurity Core Rule Set for the second time took part in the Google Summer of Code initiative. Google Summer of Code (GSoC) is a global online program focused on bringing new contributors into open-source software development. GSoC contributors work with an open-source organization of their choice on a 12+ week programming project under the guidance of the mentors from the organization. Dexter Chang had applied to the CRS project with a proposal for a performance framework.
August 2, 2023
By
Ervin Hegedüs
Many CRS users have probably read Trustwave’s recent announcement about the new version of libmodsecurity3 (aka ModSecurity v3) and the reason for the release:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
The new version of the WAF library fixes a CVE described issue, namely: “DoS Vulnerability in Four Transformations”.
We would like to draw the attention of all CRS users who also use libmodsecurity3 to update the library as soon as possible. CRS uses one of the mentioned transformations (removeNull) in several rules.