February 22, 2023
By
Alessandro Monachesi
Team82 has published an exciting research article about bypassing web application firewalls using a specific SQL syntax that uses JSON. More information about their research can be found here.
An example payload described by Team82 could be:
1 OR JSON_EXTRACT('{"foo":1}','$.foo')=1 The OWASP Core Rule Set is blocking all payloads reported by Team82 at paranoia level 2 basically just with the rule 942110 "SQL Injection Attack: Common Injection Testing Detected".
Though blocking this at paranoia level 2 is great, we decided to define a new rule to block all “JSON in SQL” payloads at the default level (paranoia level 1).
February 2, 2023
By
Christian Folini
(netnea)
We’re excited to announce a new partnership with Edgio, a leading provider of edge security solutions, that was formed by the combination of Limelight and Edgecast. Edgio is a trusted partner for organizations looking to protect their digital assets. Its holistic suite of security solutions protects the confidentiality, integrity and availability of web applications and APIs. And it addresses that need with high performance security solutions sitting on the edge of the internet.
January 19, 2023
By
Christian Folini
(netnea)
On February 14, the CRS community will meet at the Dublin Convention Center for the 2023 CRS Community Summit, the first summit after the pandemic.
REGISTRATION
It has been a while since last we met and many things have happened since. So, there is a lot to talk about.
We start at 9 am local time in Liffey Hall 1 of the Convention Center.
The program is still in the making, but please expect a variety of talks about CRS, ModSecurity and Coraza.
January 17, 2023
By
Alessandro Monachesi
Franziska Bühler doesn’t feel too comfortable in the limelight. The CISO of a Swiss mid-sized IT company rather likes to work through lists of hundreds of bypasses than being at the forefront. Talking to her, it gets clear quickly: Fränzi loves a challenge. “Once I set my mind to something, I follow through,” she says. She was always fascinated by great heights: Franziska Bühler aka Fränzi on top of the Milan cathedral
December 12, 2022
By
Christian Folini
(netnea)
The OWASP ModSecurity Core Rule Set project is very happy to announce Microsoft as new GOLD sponsor. There have been sporadic contacts with the Azure WAF engineering team for several years and we are now taking the next step. Microsoft and OWASP CRS are establishing a formalized partnership in the form of a sponsoring agreement.
There is never a lack of ideas in a florishing open source project like ours. But as a lot of open source projects, we lack the user perspective to a wide extent.
December 9, 2022
By
Alessandro Monachesi
Let the CRS project be your Valentine: The OWASP ModSecurity Core Rule Set
project will hold the first post-pandemic Community Summit at the Dublin
Convention Center in Ireland on Tuesday, February 14, 2023.
We invite the whole CRS community, users, developers, integrators, and sponsors
to meet with us for an exchange of thoughts, technical talks, and networking.
After the “official” part of the meeting we will go out for dinner and drinks.
December 8, 2022
By
Alessandro Monachesi
The OWASP ModSecurity Core Rule Set (CRS) project is proud to announce a new sponsoring partner: Bug Bounty Switzerland – a startup that has pioneered the collaboration with ethical hackers in Switzerland and today is Switzerland’s leading provider of bug bounty programs and public trust initiatives. Since 2022, they are the strategic partner of the National Cyber Security Centre NCSC and help to establish bug bounty programs for the whole Federal Administration.
December 1, 2022
By
Alessandro Monachesi
Pizza, pasta, pesto … pineapple? This was one of the many important topics (and one of the most controversial) discussed at the CRS developer retreat 2022 in Italy. The annual CRS developer team retreat is always a highlight of the year, finally meeting face-to-face again and not just via chat.
This time, the backdrop for the meeting from October 29 to November 5 was the southern foothills of the Alps near Lake Varese, close to the Swiss border.
November 22, 2022
By
Alessandro Monachesi
Astronaut? Garbage truck driver? Electrical engineer? Metalsmith? In the end, Hungarian Ervin Hegedüs became a software developer. Within the Core Rule Set project, he contributes primarily to tool development and packaging. “New team members should above all be team players,” says Ervin. A man of many talents and names: Ervin Hegedüs aka AirWeen aka HA2OS
Ervin Hegedüs has had no shortage of interesting career ideas in his 51-year life. While the usual childhood dreams of becoming an astronaut or a garbage truck driver vanished as he grew older, Ervin still today sometimes wonders what would have become of him if he hadn’t found his way to IT.
October 18, 2022
By
Alessandro Monachesi
He likes to play board games and the guitar, and he loves to fix bypasses to CRS rules: Italian Andrea Menin joined the Core Rule Set team in 2018. The most important requirement for anybody joining the project, he says, is to enjoy it. Andrea Menin with the famous DeLorean: “*Back to the Future *sparked a love of technology and music in me“
He never wanted to be a locomotive engineer or an astronaut, but Andrea Menin (born in 1983) actually had an alternative to being a developer and IT crack: “After school, I either wanted to do something with computers or become a musician.
