Blogs

How the CRS protects the vulnerable web application Pixi by OWASP DevSlop

How could the functionality of a WAF be better demonstrated than with a vulnerable web application? In this blog post I introduce Pixi, an intentionally vulnerable web application by the OWASP project DevSlop. I show its known vulnerabilities and examine how the CRS protects against these vulnerabilities. What is Pixi? Pixi is a deliberately vulnerable web application that is part of the OWASP DevSlop project. Beside Tanya Janca, Nicole Becher and Nancy Gariché I am also part of this project.

Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0-RC2

The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.zip https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.tar.gz This release represents a very big step forward in terms of both capabilities and protections including: Improved compatibility with ModSecurity 3.x Improved CRS docker container that is fully configureable at creation Expanded Java RCE blacklist Expanded unix shell RCE blacklist Improved PHP RCE detection New javascript/Node.

How the CRS optimizes regular expressions

As many of you have noticed, the Core Rule Set contains very complex regular expressions. See for example rule 942480: (?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|... These regular expressions are assembled from a list of simpler regular expressions for efficiency reasons. See regexp-942480.data for the source expressions which were combined to form this expression. A single optimized regular expression test takes much less time than a series of simpler regular expression tests. By combining related patterns in one rule, we lower our number of rules, which helps to keep the code base compact.

CRS Project News August 2019

Life is interfering and the rhythm of the CRS news is not what I would like it to be. Three months since the last edition. But the advantage is of course, that there are more news to talk about once I get to write it all up. What has happened in recent weeks The OWASP Honeypot project that is based on CRS is running a Google Summer of Code project, that aims for an up do date containerization of the honeypot.

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1

The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.1.1. This is a minor release fixing a Regular Expression Denial of Service weakness (CVE-2019-11387) as well as some minor bugs and false positives. The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. However, we advise all users to upgrade to this latest stable CRS release. We have been notified of 5 ReDoS problems in our rules in April.

CRS Project News May 2019

We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go. What has happened in recent weeks Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well known fact, that CRS suffers from this problem. Usually, it is no big deal as ModSecurity 2 used to protect from

Regular Expression DoS weaknesses in CRS

Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs: CVE-2019–11387 CVE-2019–11388 CVE-2019–11389 CVE-2019–11390 CVE-2019–11391 The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We just have not solved it yet - or have not been able to solve it yet.

CRS Project News February 2019

We are back with the CRS project news. The news are running very, very late in the month as I’ve been held up with other projects. What has happened in recent weeks Miyuru Sankalpa has started to publish a transformed GeoIP database in the legacy format readable by ModSecurity 2.x under a creative commons. This seems to be based on the MaxMind databases and it is not clear of MaxMind endorses this initiative.

CRS Project News January 2019

We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU). What has happened in recent weeks We have reached 1500 stars on GitHub and adding more every day in a nice exponential curve. This makes us one of the most popular OWASP projects on GitHub.

CRS Project News December 2018

I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection. What has happened in recent weeks CRS 3.1 has been released bringing new rules to detect Java injections and an easier way to deal with paranoia levels. More changes in the announcement. Link: https://coreruleset.org/20181128/announcement-owasp-modsecurity-core-rule-set-version-3-1-0/ CRS Co-Lead Christian Folini taught two CRS crash courses together with David Jardin from Siwecos in Bern and Zurich, Switzerland.