The Core Rule Set is installed in just four steps, as described in the Installation Guide. Now, it’s even easier using the CRS Docker container. The effort to start the CRS in front of an application is reduced to a few seconds and only one command. Franziska Bühler, one of the CRS developers, enhanced the official CRS container. Various CRS variables and the backend application to be protected can be configured using this enhanced container.
The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last. A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection. Key features include: A new set of rules defending against Java injections Initial set of file upload checks Add built-in exceptions for Dokuwiki, Owncloud, Nextcloud and CPanel Easier handling of the paranoia mode Many false positives fixed Successful source code archaeology with regular expressions Detailed rule cleanup for easier maintenance Speed improvements via the removal of unneeded regex capture groups Regression tests for rules, Travis support CRS docker image based on Ubuntu For a complete list of new features and the changes in this release, see the CHANGES document:
The plan is to do this newsletter every month, but it’s already November. The reason is the pending 3.1 release, so I waited for the release to happen and then it did not and suddenly October was over. But now we have a 3.1-RC2 and a strong belief that 3.1 will come out for good on Sunday November 24. What has happened in recent weeks CRS 3.1 RC2 has been released.
Are you interested in hanging out with the CRS developers? Giving your input on CRS development issues? Chatting about the wonderful world of WAFs? Then this is your chance! At OWASP AppSecEU 2018, we have started the #coreruleset channel in the OWASP Slack. This has turned out to be a good place for exchanging ideas and working together in real time. So, we’ve settled in and we invite anyone to join us there.
We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project. The most important news is the publication of the release candidate 1 for CRS 3.1. What has happened in recent weeks CRS 3.1 RC1 has been released. The most important changes: Protections against common Java attacks Support for blocking in one paranoia level while logging in a higher level.
This is a guest piece by Jamie Riden / @pedantic_hacker. Jamie has been doing penetration tests, secure development training and security code review since 2010 - and other kinds of computer-wrangling for much, much longer. Having been a systems engineer, a coder and now a pen-tester, I’d like to take a brief moment of your time to talk about layered defenses; specifically in this case why running a web application firewall is a good idea.
This article explores how to use an uninitialized Bash variable to bypass WAF regular expression based filters and pattern matching. Let’s see how it can be done on CloudFlare WAF and ModSecurity OWASP CRS3.
Chris Romeo from the AppSec Podcast did an interview with our own Christian Folini during the AppSecEU conference in July. The 25min interview has been published lately. The interview discusses the project itself, the upcoming 3.1 release, plans to expand beyond ModSecurity and CRS fits into agile development. Here is the link to the interview: https://www.securityjourney.com/blog/crs-and-an-abstraction-layer-s04e02/
We are launching the monthly news anew. The idea is to look beyond the pure CRS development again and to bring you additional information that touch on our project. As the editor, I (-> Christian Folini) am planning to release this in the first half of the month. This did not work in July, though, but I have a very cute excuse: She’s called Giovanna and she is only a couple of days old.
This is a brief coverage of the CRS Community Summit during AppSecEU in London last week. Over 25 people followed our call for this first face to face meeting of the CRS developer team (6 of 10 developers with commit rights in the same room!) and the community. We have been very happy to have several end users, Trustwave representing the ModSecurity development, but also some of the big integrators in the room.