How could the functionality of a WAF be better demonstrated than with a vulnerable web application?
In this blog post I introduce Pixi, an intentionally vulnerable web application by the OWASP project DevSlop. I show its known vulnerabilities and examine how the CRS protects against these vulnerabilities.
What is Pixi?
Pixi is a deliberately vulnerable web application that is part of the OWASP DevSlop project. Beside Tanya Janca, Nicole Becher and Nancy Gariché I am also part of this project. DevSlop is a training ground for DevSecOps. In addition to Pixi, DevSlop also offers many YouTube shows, blog posts and different modules on various security topics!
September 3, 2019
By
Walter Hop
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at
This release represents a very big step forward in terms of both capabilities and protections including:
- Improved compatibility with ModSecurity 3.x
- Improved CRS docker container that is fully configureable at creation
- Expanded Java RCE blacklist
- Expanded unix shell RCE blacklist
- Improved PHP RCE detection
- New javascript/Node.js RCE detection
- Expanded LFI blacklists
- Added XenForo rule exclusion profile
- Fixes for many false positives and bypasses
- Detection of more security scanners
- Regexp performance improvements preventing ReDoS in most cases
Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements.
https://github.com/coreruleset/coreruleset/blob/v3.2.0-rc2/CHANGES
August 26, 2019
By
Walter Hop
As many of you have noticed, the Core Rule Set contains very complex regular expressions. See for example rule 942480:
(?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|...
These regular expressions are assembled from a list of simpler regular expressions for efficiency reasons. See regexp-942480.data for the source expressions which were combined to form this expression.
A single optimized regular expression test takes much less time than a series of simpler regular expression tests. By combining related patterns in one rule, we lower our number of rules, which helps to keep the code base compact. The downside is readability and ease of development.
August 7, 2019
By
Christian Folini
(netnea)
Life is interfering and the rhythm of the CRS news is not what I would like it to be. Three months since the last edition. But the advantage is of course, that there are more news to talk about once I get to write it all up.
What has happened in recent weeks
- The OWASP Honeypot project that is based on CRS is running a Google Summer of Code
project, that aims for an up do date containerization of the honeypot. - O’Reilly is distributing a free 40 pages brochure about “Defense in Depth” by Stephen Gates.
CRS is featured prominently on page 22: “Today, most WAF vendors have implemented the OWASP ModSecurity Core Rule Set (CRS), which contains generic attack detection rules for use with ModSecurity or compatible WAFs.”
Link:
https://www.oreilly.com/library/view/modern-defense-in/9781492050360/ - Zevenet has patched the traditional - but rather exotic - reverse proxy Pound to work with ModSecurity 3 and thus with CRS.
Link:
https://github.com/zevenet/pound - The pressing ReDoS problems that resulted in 5 (!) CVEs issued against CRS could be solved with the release of 3.1.1 that is functionally equivalent to 3.1.0 and does not suffer from the problems. We also found out, that 4 of the 5 CVEs were bogus and the 5th is only exploitable in few installations. We are talking to Mitre, but they have not really be very forthcoming so far.
A word of caution: This does not mean that there are no more ReDoS problems in CRS. We are working through the rules and we think we have identified most problematic rules, but ReDoS is nasty as long as you run on PCRE and we are not quite ready to support an alternative engine like RE2 (but we are working on it; see below).
Link:
. - There is a new, bi-monthly CRS / ModSecurity Meetup in Bern, Switzerland. The first edition ran on June 26 2019 and we got 14 people together in the room.
Link: http://web.archive.org/web/20200807130543/https://www.puzzle.ch/de/blog/articles/2019/07/02/erstes-treffen-der-crs-community-in-bern - Brian Krebs blogged about the CapitalOne breach and blamed it on an SSRF (server-side request forgery) on the ModSecurity WAF running CRS. However, this is likely wrong as a more detailed blog post at AppSecco explained. It’s rather a SSRF that CRS did not block. Either because it was not detected (that is quite likely, as SSRF is really hard to detect with generic rules) or because the WAF was in monitoring mode.
Link:
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af?gi=97a1dfb34c64 - We did our monthly CRS project chats. Here are the agendas and the brief protocols.
Link:
https://github.com/coreruleset/coreruleset/issues/1402 (May)
https://github.com/coreruleset/coreruleset/issues/1443 (June)
https://github.com/coreruleset/coreruleset/issues/1471 (July)
https://github.com/coreruleset/coreruleset/issues/1496 (August)
Significant pull requests that were merged
Things that are meant to happen in the coming weeks or thereafter
- We are planning to release CRS 3.2. Release manager Walter Hop confirmed the following plan:
Freeze on August 19, RC1 on August 26, RC2 on September 8, release on September 24.
Link:
https://github.com/coreruleset/coreruleset/issues/1496#issuecomment-518348210 - The next CRS / ModSecurity meetups in Bern, Switzerland, will be on August 28 and thereafter on October 30.
On August 28, we’ll talk about Paranoia Levels in Practice. The program for October 30 has not been fixed yet.
Link:
https://www.meetup.com/CRS-ModSecurity-Meetup-Bern/ - We are hosting a CRS Community Summit on September 25 at the RAI in Amsterdam. This is the last training day at the OWASP AppSec Global conference. This is meant for users of CRS, for integrators and committers or our project. Entry to the summit is free, but it makes sense to combine with the AppSec conference the next day of course if you make the trip to the Netherlands.
The Summit will start in the early afternoon and we are going to have a dinner together afterwards.
Please get in touch if you plan to attend, so we can accomodate enough seats at the RAI (and at the restaurant afterwards):
Link:
christian.folini / at / owasp.org - Christian Folini is going to present at the OWASP AppSec Global conference in Amsterdam on September 26 / 27. His talk will be about Practical CRS in high security settings.
Link:
https://ams.globalappsec.org/
Important pull requests in the queue
- There is a PR for a new rule aiming at insecure unserialization in NodeJS. This is meant to be the first rule in a new rule group (REQUEST-934-APPLICATION-ATTACK-NODEJS.conf) that is going to be released together with CRS 3.2 if according to plan.
Link:
https://github.com/coreruleset/coreruleset/pull/1487 - Not much more of much importance is in the queue. We have been very active with merging those last few weeks. There are just a few bugfixes here and there plus more tests.
News assembled by Christian Folini, CRS Co-Lead.
June 27, 2019
By
Christian Folini
(netnea)
The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.1.1.
This is a minor release fixing a Regular Expression Denial of Service weakness (CVE-2019-11387) as well as some minor bugs and false positives.
The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. However, we advise all users to upgrade to this latest stable CRS release.
We have been notified of 5 ReDoS problems in our rules in April. Upon closer inspection, only 1 of them proved real (the others were found in the naked regular expression, not taking payload transformation and protection mechanisms of the engine into consideration). Once this was established, we had to fix the regex without changing the detection capabilities of the affected rules. And this is what took us so long.
May 1, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go.
What has happened in recent weeks
- Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well known fact, that CRS suffers from this
problem. Usually, it is no big deal as ModSecurity 2 used to protect from
this type of attack. However, this protection is gone with ModSecurity 3.
Somdev Sangwan had 5 (!) CVE against CRS created. Yet we came to the
conclusion, that only one of them (👉 CVE-2019-11387) is directly
exploitable and only on ModSecurity 3 at paranoia level 2 or higher. The problem is situation in two separate rules. We are now working on a solution for this issue.
Links:
https://nvd.nist.gov/vuln/detail/CVE-2019-11387
https://github.com/coreruleset/coreruleset/issues/1359
https://portswigger.net/daily-swig/unpatched-modsecurity-crs-vulnerabilities-leave-web-servers-open-to-denial-of-service-attacks
- CRS contributor Airween has made a big effort to make sure that ModSecurity 3 passes the CRS test suite. He fixed several ModSec bugs along the way (not all of them merged yet) and he has been 100% successful with ModSec3 in combination with the Apache connector. With the nginx connector, he is really close.
Please note that this means, that none of the released ModSec 3 versions
are able to pass the CRS 3 test suite so far. - There was very little interest among the CRS developers to go to Tel Aviv in order to
hold our CRS community summit during the OWASP AppSec Global conference there later in May. We have thus decided to shift our reunion to September and the
OWASP AppSec conference in Amsterdam. - James Walker from Portswigger / Daily Swig covered the ongoing development with ModSecurity in an online article.
Link: https://portswigger.net/daily-swig/waf-reloaded-modsecurity-3-1-showcased-at-black-hat-asia - We are very happy to welcome Andrea Menin / theMiddleBlue / MeninTheMiddle as a CRS developer with commit rights. The latter took a fair bit of time, but the joy is even bigger now.
- There is a fairly new ModSecurity integration into the Envoy Proxy on Kubernetes. We have not tested it yet, though.
Link: https://github.com/octarinesec/ModSecurity-envoy
Significant pull requests that were merged
Things that are meant to happen in the coming weeks or thereafter
- Tin Zaw from Verizon is presenting CRS at the OWASP project showcase
at the AppSec conference in Tel Aviv. - 3.1.1 is meant to be released with a backported fix for CVE-2019-11387 as soon as we have the fix.
Important pull requests in the queue
April 25, 2019
By
Christian Folini
(netnea)
Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs:
The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We just have not solved it yet - or have not been able to solve it yet.
February 28, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. The news are running very, very late in the month as I’ve been held up with other projects.
What has happened in recent weeks
Significant pull requests that were merged
Things that are meant to happen in the coming weeks or thereafter
- The Core Rule Set project will participate at the Cloudfest Hackathon in Germany on March 23 - 25 under the direction of Walter Hop and Christoph Hansen. The idea is to develop rules, rules exclusions and documentation to allow easier integration of CRS for internet hosters. Registration is open.
Link: https://www.cloudfest.com/hackathon - The Core Rule Set project will hold a Community Summit on Tuesday May 28, the day before the OWASP AppSecGlobal in Tel Aviv. This will follow the same format of the Community Summit we did at AppSecEU in London in 2018. Details pending.
- Swiss Post is runing a public intrusion against its Online-Voting system, that is protected by the Core Rule Set as a first layer of defense. The test runs from February 25 to March 24, 2019.
Link: https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s-e-voting-system - The next Monthly Community Chat will be held on Monday March 4, 2019, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion.
Link: https://owasp.slack.com
Link: https://github.com/coreruleset/coreruleset/issues/1314
Important pull requests in the queue
January 24, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU).
What has happened in recent weeks
- We have reached 1500 stars on GitHub and adding more every day in a nice exponential curve. This makes us one of the most popular OWASP projects on GitHub.
Link: https://seladb.github.io/StarTrack-js/?u=SpiderLabs&r=owasp-modsecurity-crs - CRS contributor Ervin Hegedüs, supported by Andrea Menin and Walter Hop, is working hard to get the CRS FTW tests to pass with ModSecurity 3 on NGINX and ModSecurity 3 on Apache. These tests are important for including Nginx with ModSecurity 3 in the next Debian release. CRS is currently using ModSecurity 2.9 on Apache as reference platform, but we need to open up for ModSecurity 3 as it is slowly maturing. Ervin and Andrea have now reached a state where over 90% of the tests pass, but they may have also discovered a bug or two in ModSecurity 3. When the work on Debian is done, we will set up our Continous Integration via Travis to run our tests against multiple platforms.
- Angelo Conforti published an interesting piece of code that allows to generate ModSecurity Whitelisting rules based on a Swagger definition. This could be very interesting for securing APIs on top of CRS. This is a work in progress, but it looks promising and I am sure testing is welcome.
Link: https://github.com/angeloxx/swagger2modsec
Significant pull requests that were merged
When we stated development had picked up nicely after the release 3.1 the statement contained a lot of hope. But looking over the last four weeks makes it clear that we have indeed accelerated.
December 26, 2018
By
Christian Folini
(netnea)
I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection.
What has happened in recent weeks
- CRS 3.1 has been released bringing new rules to detect Java injections and an easier way to deal with paranoia levels. More changes in the announcement.
Link: https://coreruleset.org/20181128/announcement-owasp-modsecurity-core-rule-set-version-3-1-0/ - CRS Co-Lead Christian Folini taught two CRS crash courses together with David Jardin from Siwecos in Bern and Zurich, Switzerland. The course was sponsored by Switch (The Swiss NIC) and addressed internet hosters. One result was a new initiative to run a workshop at the Cloudfest conference in late March to come up with a CRS profile that works for internet hosters. There will be a separate announcement, when we know more.
- CRS committer Franziska Bühler pubished a blog post introducing the extensions for the official CRS docker container that she developed. The extensions allow you to configure a CRS container including the backend connection from the command line.
Link: https://coreruleset.org/20181212/core-rule-set-docker-image/ - CRS Co-Lead Christian published an asciinema demo video illustrating Franziska’s work.
Link: https://asciinema.org/a/0JDnaO1Wi42sIYpgJzoYbCdtn - The American company Gridvision published a success story how they secured their WordPress setup with CRS.
Link(Outdated): “gridvision.net/projects/nginx-modsecurity-and-project-honeypot” - CRS contributor TheMiddle published a blog post with WAF bypasses aiming for PHP. As usual, CRS was doing better than many other WAFs, but there is a particularly sinister bypass we did not detect in lower paranoia levels (more news about this below).
Link: https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
Significant pull requests that were merged
With the 3.1 release out the door, the development for 3.2 was immediately revived. Pull requests are coming in nicely now.
