Blogs

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For downloads and installation instructions, please refer to the Installation page. This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers. Aside from the security fix, a few other minor, non-breaking changes and improvements are also included in this release.

CVE-2023-38199 – Multiple Content-Type Headers

The OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of multiple HTTP “Content-Type” header fields. As a result, on some platforms, it is possible to cause a CRS installation to process an HTTP request body differently (because of the different Content-Type) to how it would be processed by a backend web application. See the advisory at https://nvd.nist.gov/vuln/detail/CVE-2023-38199. Update: CRS version 3.3.5 has now been released to address this vulnerability.

Follow the CRS project on YouTube

The OWASP CRS project has opened a YouTube channel. Here we plan to gather all videos that are relevant to the project. In the meantime, feel free to contact us if you think you have fitting content. And don’t forget to give a thumbs up to the videos and subscribe to the channel if you don’t want to miss any new content.

What we learnt from our bug bounty program: It's not for the faint of heart

A bug hunter’s collection with some nice specimens (Photo: FreeImages.com/pi242) OWASP CRS is the dominant open source web application firewall (WAF) rule set that powers countless servers, commercial WAFs and runs on many CDNs and cloud platforms. Yahoo and Intigriti helped OWASP CRS organize a three week bug bounty program in Spring 2022. A well prepared earlier attempt had not given any results, literally zero reports, so CRS walked into this 2nd round in a somewhat naive way.

A brief report on the CRS Community Summit 2023.

Question: What do programmers, security specialists and other IT nerds do on Valentine’s Day? Answer: they get together for the CRS Community Summit in Ireland. As in previous years, we used the OWASP Global AppSec Conference, which this year was held in Ireland’s capital, as an opportunity to call for our Community Summit on February 14, 2023. The plan was that two of the three co-leads would be present on site.

A new rule to prevent SQL in JSON

Team82 has published an exciting research article about bypassing web application firewalls using a specific SQL syntax that uses JSON. More information about their research can be found here. An example payload described by Team82 could be: 1 OR JSON_EXTRACT('{"foo":1}','$.foo')=1 The OWASP Core Rule Set is blocking all payloads reported by Team82 at paranoia level 2 basically just with the rule 942110 "SQL Injection Attack: Common Injection Testing Detected". Though blocking this at paranoia level 2 is great, we decided to define a new rule to block all “JSON in SQL” payloads at the default level (paranoia level 1).

CRS Welcomes Edgio as Gold Sponsor

We’re excited to announce a new partnership with Edgio, a leading provider of edge security solutions, that was formed by the combination of Limelight and Edgecast. Edgio is a trusted partner for organizations looking to protect their digital assets. Its holistic suite of security solutions protects the confidentiality, integrity and availability of web applications and APIs. And it addresses that need with high performance security solutions sitting on the edge of the internet.

Registration for the OWASP CRS Community Summit 2023 - Dublin, Feb 14

On February 14, the CRS community will meet at the Dublin Convention Center for the 2023 CRS Community Summit, the first summit after the pandemic. REGISTRATION It has been a while since last we met and many things have happened since. So, there is a lot to talk about. We start at 9 am local time in Liffey Hall 1 of the Convention Center. The program is still in the making, but please expect a variety of talks about CRS, ModSecurity and Coraza.

Meet the CRS team: Fränzi, the puzzle-loving hard worker with a mission

Franziska Bühler doesn’t feel too comfortable in the limelight. The CISO of a Swiss mid-sized IT company rather likes to work through lists of hundreds of bypasses than being at the forefront. Talking to her, it gets clear quickly: Fränzi loves a challenge. “Once I set my mind to something, I follow through,” she says. She was always fascinated by great heights: Franziska Bühler aka Fränzi on top of the Milan cathedral

Microsoft Supports CRS as Gold sponsor

The OWASP ModSecurity Core Rule Set project is very happy to announce Microsoft as new GOLD sponsor. There have been sporadic contacts with the Azure WAF engineering team for several years and we are now taking the next step. Microsoft and OWASP CRS are establishing a formalized partnership in the form of a sponsoring agreement. There is never a lack of ideas in a florishing open source project like ours. But as a lot of open source projects, we lack the user perspective to a wide extent.