February 28, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. The news are running very, very late in the month as I’ve been held up with other projects.
What has happened in recent weeks
Significant pull requests that were merged
Things that are meant to happen in the coming weeks or thereafter
- The Core Rule Set project will participate at the Cloudfest Hackathon in Germany on March 23 - 25 under the direction of Walter Hop and Christoph Hansen. The idea is to develop rules, rules exclusions and documentation to allow easier integration of CRS for internet hosters. Registration is open.
Link: https://www.cloudfest.com/hackathon - The Core Rule Set project will hold a Community Summit on Tuesday May 28, the day before the OWASP AppSecGlobal in Tel Aviv. This will follow the same format of the Community Summit we did at AppSecEU in London in 2018. Details pending.
- Swiss Post is runing a public intrusion against its Online-Voting system, that is protected by the Core Rule Set as a first layer of defense. The test runs from February 25 to March 24, 2019.
Link: https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s-e-voting-system - The next Monthly Community Chat will be held on Monday March 4, 2019, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion.
Link: https://owasp.slack.com
Link: https://github.com/coreruleset/coreruleset/issues/1314
Important pull requests in the queue
January 24, 2019
By
Christian Folini
(netnea)
We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU).
What has happened in recent weeks
- We have reached 1500 stars on GitHub and adding more every day in a nice exponential curve. This makes us one of the most popular OWASP projects on GitHub.
Link: https://seladb.github.io/StarTrack-js/?u=SpiderLabs&r=owasp-modsecurity-crs - CRS contributor Ervin Hegedüs, supported by Andrea Menin and Walter Hop, is working hard to get the CRS FTW tests to pass with ModSecurity 3 on NGINX and ModSecurity 3 on Apache. These tests are important for including Nginx with ModSecurity 3 in the next Debian release. CRS is currently using ModSecurity 2.9 on Apache as reference platform, but we need to open up for ModSecurity 3 as it is slowly maturing. Ervin and Andrea have now reached a state where over 90% of the tests pass, but they may have also discovered a bug or two in ModSecurity 3. When the work on Debian is done, we will set up our Continous Integration via Travis to run our tests against multiple platforms.
- Angelo Conforti published an interesting piece of code that allows to generate ModSecurity Whitelisting rules based on a Swagger definition. This could be very interesting for securing APIs on top of CRS. This is a work in progress, but it looks promising and I am sure testing is welcome.
Link: https://github.com/angeloxx/swagger2modsec
Significant pull requests that were merged
When we stated development had picked up nicely after the release 3.1 the statement contained a lot of hope. But looking over the last four weeks makes it clear that we have indeed accelerated.
December 26, 2018
By
Christian Folini
(netnea)
I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection.
What has happened in recent weeks
- CRS 3.1 has been released bringing new rules to detect Java injections and an easier way to deal with paranoia levels. More changes in the announcement.
Link: /20181128/announcement-owasp-modsecurity-core-rule-set-version-3-1-0/ - CRS Co-Lead Christian Folini taught two CRS crash courses together with David Jardin from Siwecos in Bern and Zurich, Switzerland. The course was sponsored by Switch (The Swiss NIC) and addressed internet hosters. One result was a new initiative to run a workshop at the Cloudfest conference in late March to come up with a CRS profile that works for internet hosters. There will be a separate announcement, when we know more.
- CRS committer Franziska Bühler pubished a blog post introducing the extensions for the official CRS docker container that she developed. The extensions allow you to configure a CRS container including the backend connection from the command line.
Link: /20181212/core-rule-set-docker-image/ - CRS Co-Lead Christian published an asciinema demo video illustrating Franziska’s work.
Link: https://asciinema.org/a/0JDnaO1Wi42sIYpgJzoYbCdtn - The American company Gridvision published a success story how they secured their WordPress setup with CRS.
Link(Outdated): “gridvision.net/projects/nginx-modsecurity-and-project-honeypot” - CRS contributor TheMiddle published a blog post with WAF bypasses aiming for PHP. As usual, CRS was doing better than many other WAFs, but there is a particularly sinister bypass we did not detect in lower paranoia levels (more news about this below).
Link: https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
Significant pull requests that were merged
With the 3.1 release out the door, the development for 3.2 was immediately revived. Pull requests are coming in nicely now.
December 12, 2018
By
Franziska Buehler
The Core Rule Set is installed in just four steps, as described in the Installation Guide.
Now, it’s even easier using the CRS Docker container. The effort to start the CRS in front of an application is reduced to a few seconds and only one command.
Franziska Bühler, one of the CRS developers, enhanced the official CRS container. Various CRS variables and the backend application to be protected can be configured using this enhanced container.
November 28, 2018
By
Christian Folini
(netnea)
The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last.
A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection.
Key features include:
- A new set of rules defending against Java injections
- Initial set of file upload checks
- Add built-in exceptions for Dokuwiki, Owncloud, Nextcloud and CPanel
- Easier handling of the paranoia mode
- Many false positives fixed
- Successful source code archaeology with regular expressions
- Detailed rule cleanup for easier maintenance
- Speed improvements via the removal of unneeded regex capture groups
- Regression tests for rules, Travis support
- CRS docker image based on Ubuntu
For a complete list of new features and the changes in this release, see the CHANGES document:
https://github.com/coreruleset/coreruleset/blob/v3.1/dev/CHANGES
November 14, 2018
By
Christian Folini
(netnea)
The plan is to do this newsletter every month, but it’s already November. The reason is the pending 3.1 release, so I waited for the release to happen and then it did not and suddenly October was over. But now we have a 3.1-RC2 and a strong belief that 3.1 will come out for good on Sunday November 24.
What has happened in recent weeks
Significant pull requests that were merged
Things that are meant to happen in the coming weeks
- We plan to release CRS 3.1 on Sunday November 24.
- There are going to be two separate one-day ModSecurity / CRS courses for ISPs / Hosters focusing on CMS. Christian Folini and David Jardin from SIWECOS will teach both courses on invitation by SWITCH.
The first course will be on December 5 in Bern, Switzerland and the second course will be on December 6 in Zurich, Switzerland.
Link: https://swit.ch/CMS_Bern
Link: https://swit.ch/CMS_Zurich
- CRS developer Franziska Bühler is working on her docker container. She is adding CLI support for all the CRS variables during “docker create”. This means you will be able to create and configure a CRS WAF container on the fly with a one-liner. This is meant to be merged into the official CRS docker container eventually.
Link: https://hub.docker.com/r/franbuehler/modsecurity-crs-rp/
- The next Monthly Community Chat will be held on December 3, 2018, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion.
Link: https://owasp.slack.com
Link: https://github.com/coreruleset/coreruleset/issues/1238 - CRS developer Felipe Zipitria has volunteered to come up with a proposal to have CRS swag produced via an online print-on-demand shop. Desired items include posters, stickers, buttons, T-Shirts, ideally the full program.
Link: https://github.com/OWASP/owasp-swag
Important pull requests in the queue
October 3, 2018
By
Walter Hop
Are you interested in hanging out with the CRS developers? Giving your input on CRS development issues? Chatting about the wonderful world of WAFs? Then this is your chance!
At OWASP AppSecEU 2018, we have started the #coreruleset channel in the OWASP Slack.
This has turned out to be a good place for exchanging ideas and working together in real time. So, we’ve settled in and we invite anyone to join us there.
September 27, 2018
By
Christian Folini
(netnea)
We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project.
The most important news is the publication of the release candidate 1 for CRS 3.1.
What has happened in recent weeks
- CRS 3.1 RC1 has been released. The most important changes:
- The development has been moved to the 3.2/dev branch, some changes will be backported to 3.1.
Link: https://github.com/coreruleset/coreruleset
- Interview with CRS project co-lead Christian Folini on the AppSec podcast
Link: https://coreruleset.org/20180809/appsec-podcast-interviewing-crs-project-co-lead-christian-folini/ - Webinar on ModSecurity and CRS3 with Owen Garett, Head of Products at NGINX: The webinar covered installation of ModSec3 and CRS3, but also integration and tuning for false positives and performance. It can be watched on demand after registration (link no longer available)
- There is a missing feature in ModSecurity 3.0.x that makes it choke on the upcoming CRS 3.1 release. There is an official patch available and the development tree of ModSecurity has the fix. But Trustwave has not yet released the ModSecurity with the fix anew. This may mean that users of the officially release ModSecurity 3 software will fail to run CRS 3.1 after our release.
Link: https://github.com/SpiderLabs/ModSecurity/issues/1797
- Maxmind, the company behind the popular GeoIP database used by ModSecurity ceased to release the legacy format of the database. ModSec 2.9 only supports this legacy version, so users are in a bad position. CRS developer Christoph Hansen posted on the ModSec mailinglist he was able to transpose the new GeoIP database into the old format so he could continue to use it. A blog post is in the making.
Link: https://github.com/SpiderLabs/ModSecurity/issues/1727#issuecomment-423612546
- The OWASP slack changed the place to get invites. If you want to join us, please get in touch via mail and we’ll send you the link. OWASP says the are overhauling the setup.
Significant pull requests that were merged
- Development has been shifted to the new 3.2 branch, that has been declared master
- Walter Hop contributed 2 new strings to the list of Java Struts namespaces for use in the new 944130 rule
Link: https://github.com/coreruleset/coreruleset/pull/1177 - Other than that, everybody is waiting for new issues popping up with the 3.1-RC release but it has been quiet on that front so far.
Things that are meant to happen in the coming weeks
- We plan to release CRS 3.1 in October unless we see any road blockers.
- There is a strange bug that a PL2 rule among the new Java rules in CRS 3.1-RC1 triggers. If it is a bug, it’s rather a ModSecurity bug, but it’s completely unclear how this is happening as reproduction has been very cumbersome so far. What is clear it happens in connection with chunked transfer encoding of JSON payloads at PL2 and higher. So it is a rather peculiar situation that is relatively rare.
Link: https://github.com/coreruleset/coreruleset/issues/1185
Important pull requests in the queue
September 13, 2018
By
Christian Folini
(netnea)
This is a guest piece by Jamie Riden / @pedantic_hacker. Jamie has been doing penetration tests, secure development training and security code review since 2010 - and other kinds of computer-wrangling for much, much longer.
Having been a systems engineer, a coder and now a pen-tester, I’d like to take a brief moment of your time to talk about layered defenses; specifically in this case why running a web application firewall is a good idea. In my current job I get engaged to do various forms of pen-testing. Relatively often, we turn up something in a web application that could have been prevented in a couple of ways. Last week for example, I found a lovely old-school OS command injection bug in a single parameter of a reasonable-sized website.
September 2, 2018
By
Chaim Sanders
This article explores how to use an uninitialized Bash variable to bypass WAF regular expression based filters and pattern matching. Let’s see how it can be done on CloudFlare WAF and ModSecurity OWASP CRS3.