The OWASP ModSecurity Core Rule Set (CRS) team is proud to announce the availability of release candidate 2 (RC2) of the upcoming CRS v4.0.0 release. The release candidate is available for download as a ‘release’ from our GitHub repository:
This year, the OWASP ModSecurity Core Rule Set for the second time took part in the Google Summer of Code initiative. Google Summer of Code (GSoC) is a global online program focused on bringing new contributors into open-source software development. GSoC contributors work with an open-source organization of their choice on a 12+ week programming project under the guidance of the mentors from the organization. Dexter Chang had applied to the CRS project with a proposal for a performance framework. We spoke to Dexter about his GSoC experience with the Core Rule Set.
Many CRS users have probably read Trustwave’s recent announcement about the new version of libmodsecurity3 (aka ModSecurity v3) and the reason for the release:
The new version of the WAF library fixes a CVE described issue, namely: “DoS Vulnerability in Four Transformations”.
We would like to draw the attention of all CRS users who also use libmodsecurity3 to update the library as soon as possible. CRS uses one of the mentioned transformations (removeNull) in several rules. Unfortunately, after analyzing the patch that fixes the bug, we were able to construct a payload that overloaded the libmodsecurity3 engine which many people use with CRS.
The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5.
For downloads and installation instructions, please refer to the Installation page.
This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers.
Aside from the security fix, a few other minor, non-breaking changes and improvements are also included in this release. The full changes are as follows:
The OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of multiple HTTP “Content-Type” header fields. As a result, on some platforms, it is possible to cause a CRS installation to process an HTTP request body differently (because of the different Content-Type) to how it would be processed by a backend web application.
The OWASP CRS project has opened a YouTube channel. Here we plan to gather all videos that are relevant to the project. In the meantime, feel free to contact us if you think you have fitting content. And don’t forget to give a thumbs up to the videos and subscribe to the channel if you don’t want to miss any new content.
A bug hunter’s collection with some nice specimens (Photo: FreeImages.com/pi242)
OWASP CRS is the dominant open source web application firewall (WAF) rule set that powers countless servers, commercial WAFs and runs on many CDNs and cloud platforms. Yahoo and Intigriti helped OWASP CRS organize a three week bug bounty program in Spring 2022. A well prepared earlier attempt had not given any results, literally zero reports, so CRS walked into this 2nd round in a somewhat naive way. But an avalanche of reports and the professionalism of our partners woke us up real quick. Still, fixing all the findings took us very, very long and we had moments where I feared it would kill our project. Here is a somewhat lengthy report about our journey.
Question: What do programmers, security specialists and other IT nerds do on Valentine’s Day? Answer: they get together for the CRS Community Summit in Ireland. As in previous years, we used the OWASP Global AppSec Conference, which this year was held in Ireland’s capital, as an opportunity to call for our Community Summit on February 14, 2023.
The plan was that two of the three co-leads would be present on site. Unfortunately, Christian Folini was caught out at short notice - the poor sap turned back just before boarding the plane - so Felipe Zipitria had to represent the project lead alone. From the CRS core team, Andrew Howe, Manuel Spartan and Ervin Hegedüs were also on hand, as well as Juan Pablo Tosso and Matteo Pace from Coraza. Unfortunately, compared to past Summits, only a few members from the extended community were in attendance. What that was due to is hard to say. Possibly an after-effect of the COVID-related interruption. Or maybe more IT nerds have a girlfriend than we thought …
Team82 has published an exciting research article about bypassing web application firewalls using a specific SQL syntax that uses JSON. More information about their research can be found here.
An example payload described by Team82 could be:
1OR JSON_EXTRACT('{"foo":1}','$.foo')=1
The OWASP Core Rule Set is blocking all payloads reported by Team82 at paranoia level 2 basically just with the rule 942110 "SQL Injection Attack: Common Injection Testing Detected".
Though blocking this at paranoia level 2 is great, we decided to define a new rule to block all “JSON in SQL” payloads at the default level (paranoia level 1). More information about the new rule can be reached by visiting the related pull request page on the CRS GitHub repository.
We’re excited to announce a new partnership with Edgio, a leading provider of edge security solutions, that was formed by the combination of Limelight and Edgecast. Edgio is a trusted partner for organizations looking to protect their digital assets. Its holistic suite of security solutions protects the confidentiality, integrity and availability of web applications and APIs. And it addresses that need with high performance security solutions sitting on the edge of the internet.
