June 8, 2020
By
Christian Folini
(netnea)
Tagging rules is a great feature of ModSecurity since it allows you to add information to your ModSec alert messages. In my tutorial on Embedding ModSec over at netnea.com, I use the tag feature in the default action to add a tag to every alert message from a given service. I do this as follows:
SecDefaultAction "phase:2,pass,log,tag:'Local Lab Service'" One of my customers uses a shortcut URI as the tag. So when an alert pops up, the SoC person can click on the tag, the URI is being expanded (redirection service) and she ends up on a wiki page giving her all the infos about a given service with purpose, architecture, host IDs, security classification and contact information.
May 27, 2020
By
Walter Hop
The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the upcoming CRS v3.3.0 release. The release candidate is available at:
https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.tar.gz https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.zip This release packages many changes, such as:
New rule to detect LDAP injection New HTTP Splitting rule Block backup files ending with ~ in filename Detect ffuf, Semrush and WFuzz scanners Updated exclusion profiles for Nextcloud, WordPress and XenForo Improvements to many patterns to improve detection and lower false alarms Important note: The format of configuration setting allowed_request_content_type has been changed to be more in line with other variables. If you had manually changed this setting, then you need to update this configuration setting. Please see the example rule 900220 in crs-setup.conf.example. If you didn’t change this setting, you don’t need to do anything.
May 13, 2020
By
Christian Folini
(netnea)
We have successfully migrated our GitHub repository to a new location at
https://github.com/coreruleset/coreruleset
Trustwave SpiderLabs hosted the OWASP ModSecurity Core Rule Set project under their umbrella for many years. They acted as stewards of our project and also directed it via the former lead Ryan Barnett. Yet as a formally independent OWASP project, it is a bit odd to dwell under a commercial entity and for a commercial entity like Trustwave SpiderLabs, it is a bit odd to host a project that they do not control.
January 18, 2020
By
Christian Folini
(netnea)
The ModSecurity 3.0.x release line suffers from a Denial of Service vulnerability after triggering a segmentation fault on the webserver when parsing a malformed cookie header.
All users of ModSecurity 3.0.0 - 3.0.3 should update to ModSecurity 3.0.4 as soon as possible.
ModSecurity 2.x is not affected.
The CVSS score for the vulnerability is 7.5 (HIGH). MITRE lists the vulnerability as CVE-2019-19886 (but as of this writing, it is only reserved).
The OWASP ModSecurity Core Rule Set (CRS) project makes heavy use of unit tests. One of the goals is making sure that all our rules behave as intended on the underlying ModSecurity engine. ModSecurity 2.9 on Apache is our reference platform that passes our expanding list of over 2300 tests.
January 14, 2020
By
Christian Folini
(netnea)
It’s been a while since the last CRS project news. It’s not because there was nothing to report. It’s more like too much going on and no time to sit back and write it all down.
Here are the most important things that happened since the last edition:
ModSecurity 3.0.4 has been released for NGINX. This is a security release covering a problem our project members @airween and @theMiddle have discovered. Trustwave has asked us to withhold any details for the moment, but the release of the full CVE is planned for next week. Packaging is under way as far as we can tell. If you are running ModSec3, then we strongly advise you to update ASAP and we’ll probably follow up with a separate blog post once the details are published.
Link: https://sourceforge.net/p/mod-security/mailman/message/36899090/
September 26, 2019
By
Christian Folini
(netnea)
Earlier today, Gareth Heyes presented a very interesting talk with dozens of new XSS payloads at the OWASP GlobalAppSec conference in Amsterdam. The CRS developers in the audience immediately started to try out the payloads, but Gareth was so quick they lost track…
But being the helpful person he is, he published the slides during the evening. Thank you.
This allowed us to go to business.
We extracted 73 payloads from the presentation, submitted them against a vanilla CRS installation with the new send-payload-pls.sh script, that comes with CRS 3.2 (released on Tuesday), and we found that there is indeed one new payload, that we are not catching in a CRS default installation:
September 24, 2019
By
Walter Hop
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of the OWASP ModSecurity Core Rule Set Version 3.2.0.
The new release is available for download here.
This release represents a very big step forward in terms of both capabilities and protections including:
Improved compatibility with ModSecurity 3.x Improved CRS docker container that is fully configurable at creation Expanded Java RCE blacklist Expanded unix shell RCE blacklist Improved PHP RCE detection New javascript/Node.js RCE detection Expanded LFI blacklists Added XenForo rule exclusion profile Fixes for many false positives and bypasses Detection of more security scanners Regexp performance improvements preventing ReDoS in most cases Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements:
https://github.com/coreruleset/coreruleset/blob/v3.2.0/CHANGES
How could the functionality of a WAF be better demonstrated than with a vulnerable web application?
In this blog post I introduce Pixi, an intentionally vulnerable web application by the OWASP project DevSlop. I show its known vulnerabilities and examine how the CRS protects against these vulnerabilities.
What is Pixi?
Pixi is a deliberately vulnerable web application that is part of the OWASP DevSlop project. Beside Tanya Janca, Nicole Becher and Nancy Gariché I am also part of this project. DevSlop is a training ground for DevSecOps. In addition to Pixi, DevSlop also offers many YouTube shows, blog posts and different modules on various security topics!
September 3, 2019
By
Walter Hop
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at
https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.zip https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.tar.gz This release represents a very big step forward in terms of both capabilities and protections including:
Improved compatibility with ModSecurity 3.x Improved CRS docker container that is fully configureable at creation Expanded Java RCE blacklist Expanded unix shell RCE blacklist Improved PHP RCE detection New javascript/Node.js RCE detection Expanded LFI blacklists Added XenForo rule exclusion profile Fixes for many false positives and bypasses Detection of more security scanners Regexp performance improvements preventing ReDoS in most cases Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements.
https://github.com/coreruleset/coreruleset/blob/v3.2.0-rc2/CHANGES
August 26, 2019
By
Walter Hop
As many of you have noticed, the Core Rule Set contains very complex regular expressions. See for example rule 942480:
(?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|... These regular expressions are assembled from a list of simpler regular expressions for efficiency reasons. See regexp-942480.data for the source expressions which were combined to form this expression.
A single optimized regular expression test takes much less time than a series of simpler regular expression tests. By combining related patterns in one rule, we lower our number of rules, which helps to keep the code base compact. The downside is readability and ease of development.
