May 1, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go.
What has happened in recent weeks Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well known fact, that CRS suffers from this problem. Usually, it is no big deal as ModSecurity 2 used to protect from this type of attack. However, this protection is gone with ModSecurity 3. Somdev Sangwan had 5 (!) CVE against CRS created. Yet we came to the conclusion, that only one of them (👉 CVE-2019-11387) is directly exploitable and only on ModSecurity 3 at paranoia level 2 or higher. The problem is situation in two separate rules. We are now working on a solution for this issue. Links: https://nvd.nist.gov/vuln/detail/CVE-2019-11387 https://github.com/coreruleset/coreruleset/issues/1359 https://portswigger.net/daily-swig/unpatched-modsecurity-crs-vulnerabilities-leave-web-servers-open-to-denial-of-service-attacks https://coreruleset.org/20190425/regular-expression-dos-weaknesses-in-crs/ CRS contributor Airween has made a big effort to make sure that ModSecurity 3 passes the CRS test suite. He fixed several ModSec bugs along the way (not all of them merged yet) and he has been 100% successful with ModSec3 in combination with the Apache connector. With the nginx connector, he is really close. Please note that this means, that none of the released ModSec 3 versions are able to pass the CRS 3 test suite so far. There was very little interest among the CRS developers to go to Tel Aviv in order to hold our CRS community summit during the OWASP AppSec Global conference there later in May. We have thus decided to shift our reunion to September and the OWASP AppSec conference in Amsterdam. James Walker from Portswigger / Daily Swig covered the ongoing development with ModSecurity in an online article. Link: https://portswigger.net/daily-swig/waf-reloaded-modsecurity-3-1-showcased-at-black-hat-asia We are very happy to welcome Andrea Menin / theMiddleBlue / MeninTheMiddle as a CRS developer with commit rights. The latter took a fair bit of time, but the joy is even bigger now. There is a fairly new ModSecurity integration into the Envoy Proxy on Kubernetes. We have not tested it yet, though. Link: https://github.com/octarinesec/ModSecurity-envoy Significant pull requests that were merged Extended the list of shell commands that we detect (Co-Lead Chaim Sanders) Link: https://github.com/coreruleset/coreruleset/pull/1325 New rule 942500: SQLi bypass via MySQL comments (Developer Franziska Bühler) Link: https://github.com/coreruleset/coreruleset/pull/1326 Fixed problems with SOAP encodings (Developer Christoph Hansen) Link: https://github.com/coreruleset/coreruleset/pull/1332 Added the gobuster security scanner (Contributor Brent Clark) Link: https://github.com/coreruleset/coreruleset/pull/1375 Things that are meant to happen in the coming weeks or thereafter Tin Zaw from Verizon is presenting CRS at the OWASP project showcase at the AppSec conference in Tel Aviv. 3.1.1 is meant to be released with a backported fix for CVE-2019-11387 as soon as we have the fix. Important pull requests in the queue Several PRs to solve the open CVEs. Yet many of these PRs come with a change of behaviour and we would like to avoid that. Link: https://github.com/coreruleset/coreruleset/pull/1355 https://github.com/coreruleset/coreruleset/pull/1361 https://github.com/coreruleset/coreruleset/pull/1362 Remove Warning from php-errors.data as all the warnings are already covered by other strings. Link: https://github.com/coreruleset/coreruleset/pull/1343 Add AngularJS client side template injection #1340 Link: https://github.com/coreruleset/coreruleset/pull/1340 SQLi bypass detection: ticks and backticks #1335 Link: https://github.com/coreruleset/coreruleset/pull/1335
April 25, 2019
By
Christian Folini
(netnea)
Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs:
CVE-2019–11387 CVE-2019–11388 CVE-2019–11389 CVE-2019–11390 CVE-2019–11391 The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We just have not solved it yet - or have not been able to solve it yet.
February 28, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. The news are running very, very late in the month as I’ve been held up with other projects.
What has happened in recent weeks Miyuru Sankalpa has started to publish a transformed GeoIP database in the legacy format readable by ModSecurity 2.x under a creative commons. This seems to be based on the MaxMind databases and it is not clear if MaxMind endorses this initiative. Link: https://www.miyuru.lk/geoiplegacy CRS developer Andrea Menin has released a set of ModSecurity rules that complement CRS when protecting WordPress. Link: https://github.com/Rev3rseSecurity/wordpress-modsecurity-ruleset Andrea Menin has also written a tutorial about DNS over HTTPS and how to protect and integrate it using ModSecurity. Link: https://www.secjuice.com/modsecurity-web-application-firewall-dns-over-https/ Microsoft has forked ModSecurity 2.x on github and it is (according somebody working on the project) working on patches that allow better integration with the Azure Cloud. Link: https://github.com/Microsoft/ModSecurity CRS developer Franziska Bühler has integrated CRS together with the Pixie learning app into a new docker container. This allows for easy training sessions and checking out attacks against the naked Pixie and the one protected by CRS. Link: https://github.com/DevSlop/pixi-crs-demo Significant pull requests that were merged CRS developer Andrea Menin contributed a rule to prevent PHP rule bypasses via variable functions. Link:https://github.com/coreruleset/coreruleset/pull/1294 Github user siric1 contributed a rule exclusion that brings support for the WordPress Gutenberg editor. Link: https://github.com/coreruleset/coreruleset/pull/1298 CRS co-lead Walter Hop added the “Jorgee” to the list of security scanners detected by CRS. Link: https://github.com/coreruleset/coreruleset/pull/1307 CRS co-lead Walter Hop added the “ZGrab” to the list of security scanners detected by CRS. Link: https://github.com/coreruleset/coreruleset/pull/1305 Things that are meant to happen in the coming weeks or thereafter The Core Rule Set project will participate at the Cloudfest Hackathon in Germany from March 23 - 25 under the direction of Walter Hop and Christoph Hansen. The idea is to develop rules, rule exclusions and documentation to allow easier integration of CRS for internet hosters. Registration is open. Link: https://www.cloudfest.com/hackathon The Core Rule Set project will hold a Community Summit on Tuesday May 28, the day before the OWASP AppSecGlobal in Tel Aviv. This will follow the same format of the Community Summit we did at AppSecEU in London in 2018. Details pending. Swiss Post is runing a public intrusion against its Online-Voting system, that is protected by the Core Rule Set as a first layer of defense. The test runs from February 25 to March 24, 2019. Link: https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s-e-voting-system The next Monthly Community Chat will be held on Monday March 4, 2019, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion. Link: https://owasp.slack.com Link: https://github.com/coreruleset/coreruleset/issues/1314 Important pull requests in the queue CRS developer Federico Schwindt contributed a rule to detect when Content-Length and Transfer-Encoding are sent in the same request. Link: https://github.com/coreruleset/coreruleset/pull/1310 CRS developer Federico Schwindt wants to add the request path to the targets of rule 941110 (XSS Filter - Category 1: Script Tag Vector). Link: https://github.com/coreruleset/coreruleset/pull/1306 CRS developer Federico Schwindt contributed a patch where he aims to improve the java detection rules. Link: https://github.com/coreruleset/coreruleset/pull/1287
January 24, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU).
What has happened in recent weeks We have reached 1500 stars on GitHub and adding more every day in a nice exponential curve. This makes us one of the most popular OWASP projects on GitHub.
Link: https://seladb.github.io/StarTrack-js/?u=SpiderLabs&r=owasp-modsecurity-crs CRS contributor Ervin Hegedüs, supported by Andrea Menin and Walter Hop, is working hard to get the CRS FTW tests to pass with ModSecurity 3 on NGINX and ModSecurity 3 on Apache. These tests are important for including Nginx with ModSecurity 3 in the next Debian release. CRS is currently using ModSecurity 2.9 on Apache as reference platform, but we need to open up for ModSecurity 3 as it is slowly maturing. Ervin and Andrea have now reached a state where over 90% of the tests pass, but they may have also discovered a bug or two in ModSecurity 3. When the work on Debian is done, we will set up our Continous Integration via Travis to run our tests against multiple platforms. Angelo Conforti published an interesting piece of code that allows to generate ModSecurity Whitelisting rules based on a Swagger definition. This could be very interesting for securing APIs on top of CRS. This is a work in progress, but it looks promising and I am sure testing is welcome.
Link: https://github.com/angeloxx/swagger2modsec Significant pull requests that were merged When we stated development had picked up nicely after the release 3.1 the statement contained a lot of hope. But looking over the last four weeks makes it clear that we have indeed accelerated.
December 26, 2018
By
Christian Folini
(netnea)
I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection.
What has happened in recent weeks CRS 3.1 has been released bringing new rules to detect Java injections and an easier way to deal with paranoia levels. More changes in the announcement.
Link: https://coreruleset.org/20181128/announcement-owasp-modsecurity-core-rule-set-version-3-1-0/ CRS Co-Lead Christian Folini taught two CRS crash courses together with David Jardin from Siwecos in Bern and Zurich, Switzerland. The course was sponsored by Switch (The Swiss NIC) and addressed internet hosters. One result was a new initiative to run a workshop at the Cloudfest conference in late March to come up with a CRS profile that works for internet hosters. There will be a separate announcement, when we know more. CRS committer Franziska Bühler pubished a blog post introducing the extensions for the official CRS docker container that she developed. The extensions allow you to configure a CRS container including the backend connection from the command line.
Link: https://coreruleset.org/20181212/core-rule-set-docker-image/ CRS Co-Lead Christian published an asciinema demo video illustrating Franziska’s work.
Link: https://asciinema.org/a/0JDnaO1Wi42sIYpgJzoYbCdtn The American company Gridvision published a success story how they secured their WordPress setup with CRS.
Link(Outdated): “gridvision.net/projects/nginx-modsecurity-and-project-honeypot” CRS contributor TheMiddle published a blog post with WAF bypasses aiming for PHP. As usual, CRS was doing better than many other WAFs, but there is a particularly sinister bypass we did not detect in lower paranoia levels (more news about this below).
Link: https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/ Significant pull requests that were merged With the 3.1 release out the door, the development for 3.2 was immediately revived. Pull requests are coming in nicely now.
December 12, 2018
By
Franziska Buehler
The Core Rule Set is installed in just four steps, as described in the Installation Guide.
Now, it’s even easier using the CRS Docker container. The effort to start the CRS in front of an application is reduced to a few seconds and only one command.
Franziska Bühler, one of the CRS developers, enhanced the official CRS container. Various CRS variables and the backend application to be protected can be configured using this enhanced container.
November 28, 2018
By
Christian Folini
(netnea)
The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last.
A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection.
Key features include:
A new set of rules defending against Java injections Initial set of file upload checks Add built-in exceptions for Dokuwiki, Owncloud, Nextcloud and CPanel Easier handling of the paranoia mode Many false positives fixed Successful source code archaeology with regular expressions Detailed rule cleanup for easier maintenance Speed improvements via the removal of unneeded regex capture groups Regression tests for rules, Travis support CRS docker image based on Ubuntu For a complete list of new features and the changes in this release, see the CHANGES document:
https://github.com/coreruleset/coreruleset/blob/v3.1/dev/CHANGES
November 14, 2018
By
Christian Folini
(netnea)
The plan is to do this newsletter every month, but it’s already November. The reason is the pending 3.1 release, so I waited for the release to happen and then it did not and suddenly October was over. But now we have a 3.1-RC2 and a strong belief that 3.1 will come out for good on Sunday November 24.
What has happened in recent weeks
CRS 3.1 RC2 has been released.
It brings few bugfixes over 3.1 RC1 and we think it will be very close to the eventual stable 3.1 release. Download: https://github.com/coreruleset/coreruleset/releases/tag/v3.1.0-rc2 The CRS project has decided to prioritize 3.1 and abandon the 3.0 release line. So there won’t be a 3.0.3 release. The development has been slow with picking up again. We’re working on the 3.2/dev branch but it feels like the pending 3.1 is keeping the project back. Link: https://github.com/coreruleset/coreruleset libModSecurity 3.0.3 has been released. This is a release focues on code readability, resilience and performance. This is an important move as ModSecurity 3.0.2 has been breaking CRS 3.1 and we worked very hard on the ModSecurity developers to have them release 3.0.3 before we do our 3.1. (The delay with our 3.1 release is entirely our fault, though.) Link: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.3
Link: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.3/CHANGES We shifted the monthly community chat from IRC to the #coreruleset channel on the OWASP Slack. CRS developer Christoph Hansen has published a script to convert the modern GeoIP database into the legacy format that ModSecurity 2.x supports. This solves a major problem for many users. https://github.com/emphazer/GeoIP_convert-v2-v1 Linux Journal article on ModSec / CRS on NGINX
Link: https://www.linuxjournal.com/content/modsecurity-and-nginx Mikhail Golovanov has published an article about ModSecurity rule verification. Among many interesting ideas, he also demonstrates a way to create payloads from a regular expression in a rule. Link: https://waf.ninja/modsecurity-rules-verification/ The Company Approach from Belgium has released the source code for an Apache module that brings a new transformation to ModSecurity: t:bash. Ideally, this source code will be integrated into ModSecurity, and ultimately be supported by CRS, but we are quite far from that. You can use it immediately for your own rules, though. Link: https://www.approach.be/en/modsecurity.html Significant pull requests that were merged Java rules bug that the last news reported about has been fixed.
Link: https://github.com/coreruleset/coreruleset/pull/1198
Link: https://github.com/coreruleset/coreruleset/issues/1185 Several typos in variable names have been spotted and fixed (Victor Hora)
Link: https://github.com/coreruleset/coreruleset/pull/1187 Dropped the keyword “exit” from both, Unix and Windows RCE rules (Federico Schwindt) Link: https://github.com/coreruleset/coreruleset/pull/1204/files Bugfix with new paranoia level counters (Federico Schwindt)
Link: https://github.com/coreruleset/coreruleset/pull/1196 Things that are meant to happen in the coming weeks We plan to release CRS 3.1 on Sunday November 24. There are going to be two separate one-day ModSecurity / CRS courses for ISPs / Hosters focusing on CMS. Christian Folini and David Jardin from SIWECOS will teach both courses on invitation by SWITCH. The first course will be on December 5 in Bern, Switzerland and the second course will be on December 6 in Zurich, Switzerland. Link: https://swit.ch/CMS_Bern Link: https://swit.ch/CMS_Zurich CRS developer Franziska Bühler is working on her docker container. She is adding CLI support for all the CRS variables during “docker create”. This means you will be able to create and configure a CRS WAF container on the fly with a one-liner. This is meant to be merged into the official CRS docker container eventually. Link: https://hub.docker.com/r/franbuehler/modsecurity-crs-rp/ The next Monthly Community Chat will be held on December 3, 2018, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion. Link: https://owasp.slack.com
Link: https://github.com/coreruleset/coreruleset/issues/1238 CRS developer Felipe Zipitria has volunteered to come up with a proposal to have CRS swag produced via an online print-on-demand shop. Desired items include posters, stickers, buttons, T-Shirts, ideally the full program. Link: https://github.com/OWASP/owasp-swag Important pull requests in the queue TheMiddleBlue suggests to add additional PHP wrappers to our data file. Still not merged. Link: https://github.com/coreruleset/coreruleset/pull/1172 Manuel Spartan suggests to add missing Java Classes.
Link: https://github.com/coreruleset/coreruleset/pull/1156
October 3, 2018
By
Walter Hop
Are you interested in hanging out with the CRS developers? Giving your input on CRS development issues? Chatting about the wonderful world of WAFs? Then this is your chance!
At OWASP AppSecEU 2018, we have started the #coreruleset channel in the OWASP Slack.
This has turned out to be a good place for exchanging ideas and working together in real time. So, we’ve settled in and we invite anyone to join us there.
September 27, 2018
By
Christian Folini
(netnea)
We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project.
The most important news is the publication of the release candidate 1 for CRS 3.1.
What has happened in recent weeks CRS 3.1 RC1 has been released. The most important changes: Protections against common Java attacks Support for blocking in one paranoia level while logging in a higher level. More pre-made exclusion packs for popular web applications Reconstructed and improved SQL injections protections Various bug fixes and optimizations
Announcement: http://web.archive.org/web/20230830054004/https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2018-September/002586 Download: https://github.com/coreruleset/coreruleset/releases/tag/v3.1.0-rc1 The development has been moved to the 3.2/dev branch, some changes will be backported to 3.1. Link: https://github.com/coreruleset/coreruleset Interview with CRS project co-lead Christian Folini on the AppSec podcast
Link: https://coreruleset.org/20180809/appsec-podcast-interviewing-crs-project-co-lead-christian-folini/ Webinar on ModSecurity and CRS3 with Owen Garett, Head of Products at NGINX: The webinar covered installation of ModSec3 and CRS3, but also integration and tuning for false positives and performance. It can be watched on demand after registration (link no longer available) There is a missing feature in ModSecurity 3.0.x that makes it choke on the upcoming CRS 3.1 release. There is an official patch available and the development tree of ModSecurity has the fix. But Trustwave has not yet released the ModSecurity with the fix anew. This may mean that users of the officially release ModSecurity 3 software will fail to run CRS 3.1 after our release. Link: https://github.com/SpiderLabs/ModSecurity/issues/1797 Maxmind, the company behind the popular GeoIP database used by ModSecurity ceased to release the legacy format of the database. ModSec 2.9 only supports this legacy version, so users are in a bad position. CRS developer Christoph Hansen posted on the ModSec mailinglist he was able to transpose the new GeoIP database into the old format so he could continue to use it. A blog post is in the making. Link: https://github.com/SpiderLabs/ModSecurity/issues/1727#issuecomment-423612546 The OWASP slack changed the place to get invites. If you want to join us, please get in touch via mail and we’ll send you the link. OWASP says the are overhauling the setup. Significant pull requests that were merged Development has been shifted to the new 3.2 branch, that has been declared master Walter Hop contributed 2 new strings to the list of Java Struts namespaces for use in the new 944130 rule
Link: https://github.com/coreruleset/coreruleset/pull/1177 Other than that, everybody is waiting for new issues popping up with the 3.1-RC release but it has been quiet on that front so far. Things that are meant to happen in the coming weeks We plan to release CRS 3.1 in October unless we see any road blockers. There is a strange bug that a PL2 rule among the new Java rules in CRS 3.1-RC1 triggers. If it is a bug, it’s rather a ModSecurity bug, but it’s completely unclear how this is happening as reproduction has been very cumbersome so far. What is clear it happens in connection with chunked transfer encoding of JSON payloads at PL2 and higher. So it is a rather peculiar situation that is relatively rare.
Link: https://github.com/coreruleset/coreruleset/issues/1185 Important pull requests in the queue Victor Hora discovered typos in CRS variable names and a discussion about streamlining lower- and uppercase variable names evolved. Link: https://github.com/coreruleset/coreruleset/pull/1187 Franziska Bühler has fixed a relatively annoying bug in the docker image of CRS. Link: https://github.com/coreruleset/coreruleset/pull/1168 TheMiddleBlue suggests to add additional PHP wrappers to our data file.
Link: https://github.com/coreruleset/coreruleset/pull/1172
