January 14, 2020
By
Christian Folini
(netnea)
It’s been a while since the last CRS project news. It’s not because there was nothing to report. It’s more like too much going on and no time to sit back and write it all down.
Here are the most important things that happened since the last edition:
ModSecurity 3.0.4 has been released for NGINX. This is a security release covering a problem our project members @airween and @theMiddle have discovered. Trustwave has asked us to withhold any details for the moment, but the release of the full CVE is planned for next week. Packaging is under way as far as we can tell. If you are running ModSec3, then we strongly advise you to update ASAP and we’ll probably follow up with a separate blog post once the details are published.
Link: https://sourceforge.net/p/mod-security/mailman/message/36899090/
September 26, 2019
By
Christian Folini
(netnea)
Earlier today, Gareth Heyes presented a very interesting talk with dozens of new XSS payloads at the OWASP GlobalAppSec conference in Amsterdam. The CRS developers in the audience immediately started to try out the payloads, but Gareth was so quick they lost track…
But being the helpful person he is, he published the slides during the evening. Thank you.
This allowed us to go to business.
We extracted 73 payloads from the presentation, submitted them against a vanilla CRS installation with the new send-payload-pls.sh script, that comes with CRS 3.2 (released on Tuesday), and we found that there is indeed one new payload, that we are not catching in a CRS default installation:
September 24, 2019
By
Walter Hop
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of the OWASP ModSecurity Core Rule Set Version 3.2.0.
The new release is available for download here.
This release represents a very big step forward in terms of both capabilities and protections including:
- Improved compatibility with ModSecurity 3.x
- Improved CRS docker container that is fully configurable at creation
- Expanded Java RCE blacklist
- Expanded unix shell RCE blacklist
- Improved PHP RCE detection
- New javascript/Node.js RCE detection
- Expanded LFI blacklists
- Added XenForo rule exclusion profile
- Fixes for many false positives and bypasses
- Detection of more security scanners
- Regexp performance improvements preventing ReDoS in most cases
Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements:
https://github.com/coreruleset/coreruleset/blob/v3.2.0/CHANGES
How could the functionality of a WAF be better demonstrated than with a vulnerable web application?
In this blog post I introduce Pixi, an intentionally vulnerable web application by the OWASP project DevSlop. I show its known vulnerabilities and examine how the CRS protects against these vulnerabilities.
What is Pixi?
Pixi is a deliberately vulnerable web application that is part of the OWASP DevSlop project. Beside Tanya Janca, Nicole Becher and Nancy Gariché I am also part of this project. DevSlop is a training ground for DevSecOps. In addition to Pixi, DevSlop also offers many YouTube shows, blog posts and different modules on various security topics!
September 3, 2019
By
Walter Hop
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at
This release represents a very big step forward in terms of both capabilities and protections including:
- Improved compatibility with ModSecurity 3.x
- Improved CRS docker container that is fully configureable at creation
- Expanded Java RCE blacklist
- Expanded unix shell RCE blacklist
- Improved PHP RCE detection
- New javascript/Node.js RCE detection
- Expanded LFI blacklists
- Added XenForo rule exclusion profile
- Fixes for many false positives and bypasses
- Detection of more security scanners
- Regexp performance improvements preventing ReDoS in most cases
Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements.
https://github.com/coreruleset/coreruleset/blob/v3.2.0-rc2/CHANGES
August 26, 2019
By
Walter Hop
As many of you have noticed, the Core Rule Set contains very complex regular expressions. See for example rule 942480:
(?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|...
These regular expressions are assembled from a list of simpler regular expressions for efficiency reasons. See regexp-942480.data for the source expressions which were combined to form this expression.
A single optimized regular expression test takes much less time than a series of simpler regular expression tests. By combining related patterns in one rule, we lower our number of rules, which helps to keep the code base compact. The downside is readability and ease of development.
August 7, 2019
By
Christian Folini
(netnea)
Life is interfering and the rhythm of the CRS news is not what I would like it to be. Three months since the last edition. But the advantage is of course, that there are more news to talk about once I get to write it all up.
What has happened in recent weeks
- The OWASP Honeypot project that is based on CRS is running a Google Summer of Code
project, that aims for an up do date containerization of the honeypot. - O’Reilly is distributing a free 40 pages brochure about “Defense in Depth” by Stephen Gates.
CRS is featured prominently on page 22: “Today, most WAF vendors have implemented the OWASP ModSecurity Core Rule Set (CRS), which contains generic attack detection rules for use with ModSecurity or compatible WAFs.”
Link:
https://www.oreilly.com/library/view/modern-defense-in/9781492050360/ - Zevenet has patched the traditional - but rather exotic - reverse proxy Pound to work with ModSecurity 3 and thus with CRS.
Link:
https://github.com/zevenet/pound - The pressing ReDoS problems that resulted in 5 (!) CVEs issued against CRS could be solved with the release of 3.1.1 that is functionally equivalent to 3.1.0 and does not suffer from the problems. We also found out, that 4 of the 5 CVEs were bogus and the 5th is only exploitable in few installations. We are talking to Mitre, but they have not really be very forthcoming so far.
A word of caution: This does not mean that there are no more ReDoS problems in CRS. We are working through the rules and we think we have identified most problematic rules, but ReDoS is nasty as long as you run on PCRE and we are not quite ready to support an alternative engine like RE2 (but we are working on it; see below).
Link:
. - There is a new, bi-monthly CRS / ModSecurity Meetup in Bern, Switzerland. The first edition ran on June 26 2019 and we got 14 people together in the room.
Link: http://web.archive.org/web/20200807130543/https://www.puzzle.ch/de/blog/articles/2019/07/02/erstes-treffen-der-crs-community-in-bern - Brian Krebs blogged about the CapitalOne breach and blamed it on an SSRF (server-side request forgery) on the ModSecurity WAF running CRS. However, this is likely wrong as a more detailed blog post at AppSecco explained. It’s rather a SSRF that CRS did not block. Either because it was not detected (that is quite likely, as SSRF is really hard to detect with generic rules) or because the WAF was in monitoring mode.
Link:
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af?gi=97a1dfb34c64 - We did our monthly CRS project chats. Here are the agendas and the brief protocols.
Link:
https://github.com/coreruleset/coreruleset/issues/1402 (May)
https://github.com/coreruleset/coreruleset/issues/1443 (June)
https://github.com/coreruleset/coreruleset/issues/1471 (July)
https://github.com/coreruleset/coreruleset/issues/1496 (August)
Significant pull requests that were merged
Things that are meant to happen in the coming weeks or thereafter
- We are planning to release CRS 3.2. Release manager Walter Hop confirmed the following plan:
Freeze on August 19, RC1 on August 26, RC2 on September 8, release on September 24.
Link:
https://github.com/coreruleset/coreruleset/issues/1496#issuecomment-518348210 - The next CRS / ModSecurity meetups in Bern, Switzerland, will be on August 28 and thereafter on October 30.
On August 28, we’ll talk about Paranoia Levels in Practice. The program for October 30 has not been fixed yet.
Link:
https://www.meetup.com/CRS-ModSecurity-Meetup-Bern/ - We are hosting a CRS Community Summit on September 25 at the RAI in Amsterdam. This is the last training day at the OWASP AppSec Global conference. This is meant for users of CRS, for integrators and committers or our project. Entry to the summit is free, but it makes sense to combine with the AppSec conference the next day of course if you make the trip to the Netherlands.
The Summit will start in the early afternoon and we are going to have a dinner together afterwards.
Please get in touch if you plan to attend, so we can accomodate enough seats at the RAI (and at the restaurant afterwards):
Link:
christian.folini / at / owasp.org - Christian Folini is going to present at the OWASP AppSec Global conference in Amsterdam on September 26 / 27. His talk will be about Practical CRS in high security settings.
Link:
https://ams.globalappsec.org/
Important pull requests in the queue
- There is a PR for a new rule aiming at insecure unserialization in NodeJS. This is meant to be the first rule in a new rule group (REQUEST-934-APPLICATION-ATTACK-NODEJS.conf) that is going to be released together with CRS 3.2 if according to plan.
Link:
https://github.com/coreruleset/coreruleset/pull/1487 - Not much more of much importance is in the queue. We have been very active with merging those last few weeks. There are just a few bugfixes here and there plus more tests.
News assembled by Christian Folini, CRS Co-Lead.
June 27, 2019
By
Christian Folini
(netnea)
The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.1.1.
This is a minor release fixing a Regular Expression Denial of Service weakness (CVE-2019-11387) as well as some minor bugs and false positives.
The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. However, we advise all users to upgrade to this latest stable CRS release.
We have been notified of 5 ReDoS problems in our rules in April. Upon closer inspection, only 1 of them proved real (the others were found in the naked regular expression, not taking payload transformation and protection mechanisms of the engine into consideration). Once this was established, we had to fix the regex without changing the detection capabilities of the affected rules. And this is what took us so long.
May 1, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go.
What has happened in recent weeks
- Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well known fact, that CRS suffers from this
problem. Usually, it is no big deal as ModSecurity 2 used to protect from
this type of attack. However, this protection is gone with ModSecurity 3.
Somdev Sangwan had 5 (!) CVE against CRS created. Yet we came to the
conclusion, that only one of them (👉 CVE-2019-11387) is directly
exploitable and only on ModSecurity 3 at paranoia level 2 or higher. The problem is situation in two separate rules. We are now working on a solution for this issue.
Links:
https://nvd.nist.gov/vuln/detail/CVE-2019-11387
https://github.com/coreruleset/coreruleset/issues/1359
https://portswigger.net/daily-swig/unpatched-modsecurity-crs-vulnerabilities-leave-web-servers-open-to-denial-of-service-attacks
- CRS contributor Airween has made a big effort to make sure that ModSecurity 3 passes the CRS test suite. He fixed several ModSec bugs along the way (not all of them merged yet) and he has been 100% successful with ModSec3 in combination with the Apache connector. With the nginx connector, he is really close.
Please note that this means, that none of the released ModSec 3 versions
are able to pass the CRS 3 test suite so far. - There was very little interest among the CRS developers to go to Tel Aviv in order to
hold our CRS community summit during the OWASP AppSec Global conference there later in May. We have thus decided to shift our reunion to September and the
OWASP AppSec conference in Amsterdam. - James Walker from Portswigger / Daily Swig covered the ongoing development with ModSecurity in an online article.
Link: https://portswigger.net/daily-swig/waf-reloaded-modsecurity-3-1-showcased-at-black-hat-asia - We are very happy to welcome Andrea Menin / theMiddleBlue / MeninTheMiddle as a CRS developer with commit rights. The latter took a fair bit of time, but the joy is even bigger now.
- There is a fairly new ModSecurity integration into the Envoy Proxy on Kubernetes. We have not tested it yet, though.
Link: https://github.com/octarinesec/ModSecurity-envoy
Significant pull requests that were merged
Things that are meant to happen in the coming weeks or thereafter
- Tin Zaw from Verizon is presenting CRS at the OWASP project showcase
at the AppSec conference in Tel Aviv. - 3.1.1 is meant to be released with a backported fix for CVE-2019-11387 as soon as we have the fix.
Important pull requests in the queue
April 25, 2019
By
Christian Folini
(netnea)
Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs:
The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We just have not solved it yet - or have not been able to solve it yet.
