Blogs

CRS Project News February 2019

We are back with the CRS project news. The news are running very, very late in the month as I’ve been held up with other projects.

What has happened in recent weeks

Significant pull requests that were merged

Things that are meant to happen in the coming weeks or thereafter

  • The Core Rule Set project will participate at the Cloudfest Hackathon in Germany on March 23 - 25 under the direction of Walter Hop and Christoph Hansen. The idea is to develop rules, rules exclusions and documentation to allow easier integration of CRS for internet hosters. Registration is open.
    Link: https://www.cloudfest.com/hackathon
  • The Core Rule Set project will hold a Community Summit on Tuesday May 28, the day before the OWASP AppSecGlobal in Tel Aviv. This will follow the same format of the Community Summit we did at AppSecEU in London in 2018. Details pending.
  • Swiss Post is runing a public intrusion against its Online-Voting system, that is protected by the Core Rule Set as a first layer of defense. The test runs from February 25 to March 24, 2019.
    Link: https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s-e-voting-system
  • The next Monthly Community Chat will be held on Monday March 4, 2019, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion.
    Link: https://owasp.slack.com
    Link: https://github.com/coreruleset/coreruleset/issues/1314

Important pull requests in the queue

CRS Project News January 2019

We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU).

What has happened in recent weeks

  • We have reached 1500 stars on GitHub and adding more every day in a nice exponential curve. This makes us one of the most popular OWASP projects on GitHub.
    Link: https://seladb.github.io/StarTrack-js/?u=SpiderLabs&r=owasp-modsecurity-crs
  • CRS contributor Ervin Hegedüs, supported by Andrea Menin and Walter Hop, is working hard to get the CRS FTW tests to pass with ModSecurity 3 on NGINX and ModSecurity 3 on Apache. These tests are important for including Nginx with ModSecurity 3 in the next Debian release. CRS is currently using ModSecurity 2.9 on Apache as reference platform, but we need to open up for ModSecurity 3 as it is slowly maturing. Ervin and Andrea have now reached a state where over 90% of the tests pass, but they may have also discovered a bug or two in ModSecurity 3. When the work on Debian is done, we will set up our Continous Integration via Travis to run our tests against multiple platforms.
  • Angelo Conforti published an interesting piece of code that allows to generate ModSecurity Whitelisting rules based on a Swagger definition. This could be very interesting for securing APIs on top of CRS. This is a work in progress, but it looks promising and I am sure testing is welcome.
    Link: https://github.com/angeloxx/swagger2modsec

Significant pull requests that were merged

When we stated development had picked up nicely after the release 3.1 the statement contained a lot of hope. But looking over the last four weeks makes it clear that we have indeed accelerated.

CRS Project News December 2018

I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection.

What has happened in recent weeks

  • CRS 3.1 has been released bringing new rules to detect Java injections and an easier way to deal with paranoia levels. More changes in the announcement.
    Link: /20181128/announcement-owasp-modsecurity-core-rule-set-version-3-1-0/
  • CRS Co-Lead Christian Folini taught two CRS crash courses together with David Jardin from Siwecos in Bern and Zurich, Switzerland. The course was sponsored by Switch (The Swiss NIC) and addressed internet hosters. One result was a new initiative to run a workshop at the Cloudfest conference in late March to come up with a CRS profile that works for internet hosters. There will be a separate announcement, when we know more.
  • CRS committer Franziska Bühler pubished a blog post introducing the extensions for the official CRS docker container that she developed. The extensions allow you to configure a CRS container including the backend connection from the command line.
    Link: /20181212/core-rule-set-docker-image/
  • CRS Co-Lead Christian published an asciinema demo video illustrating Franziska’s work.
    Link: https://asciinema.org/a/0JDnaO1Wi42sIYpgJzoYbCdtn
  • The American company Gridvision published a success story how they secured their WordPress setup with CRS.
    Link(Outdated): “gridvision.net/projects/nginx-modsecurity-and-project-honeypot”
  • CRS contributor TheMiddle published a blog post with WAF bypasses aiming for PHP. As usual, CRS was doing better than many other WAFs, but there is a particularly sinister bypass we did not detect in lower paranoia levels (more news about this below).
    Link: https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/

Significant pull requests that were merged

With the 3.1 release out the door, the development for 3.2 was immediately revived. Pull requests are coming in nicely now.

Core Rule Set Docker Image

The Core Rule Set is installed in just four steps, as described in the Installation Guide.

Now, it’s even easier using the CRS Docker container. The effort to start the CRS in front of an application is reduced to a few seconds and only one command.

Franziska Bühler, one of the CRS developers, enhanced the official CRS container. Various CRS variables and the backend application to be protected can be configured using this enhanced container.

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0

The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last.

A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection.

Key features include:

  • A new set of rules defending against Java injections
  • Initial set of file upload checks
  • Add built-in exceptions for Dokuwiki, Owncloud, Nextcloud and CPanel
  • Easier handling of the paranoia mode
  • Many false positives fixed
  • Successful source code archaeology with regular expressions
  • Detailed rule cleanup for easier maintenance
  • Speed improvements via the removal of unneeded regex capture groups
  • Regression tests for rules, Travis support
  • CRS docker image based on Ubuntu

For a complete list of new features and the changes in this release, see the CHANGES document:
https://github.com/coreruleset/coreruleset/blob/v3.1/dev/CHANGES

CRS Project News November 2018

The plan is to do this newsletter every month, but it’s already November. The reason is the pending 3.1 release, so I waited for the release to happen and then it did not and suddenly October was over. But now we have a 3.1-RC2 and a strong belief that 3.1 will come out for good on Sunday November 24.

What has happened in recent weeks

Significant pull requests that were merged

Things that are meant to happen in the coming weeks

  • We plan to release CRS 3.1 on Sunday November 24.
  • There are going to be two separate one-day ModSecurity / CRS courses for ISPs / Hosters focusing on CMS. Christian Folini and David Jardin from SIWECOS will teach both courses on invitation by SWITCH. The first course will be on December 5 in Bern, Switzerland and the second course will be on December 6 in Zurich, Switzerland. Link: https://swit.ch/CMS_Bern Link: https://swit.ch/CMS_Zurich
  • CRS developer Franziska Bühler is working on her docker container. She is adding CLI support for all the CRS variables during “docker create”. This means you will be able to create and configure a CRS WAF container on the fly with a one-liner. This is meant to be merged into the official CRS docker container eventually. Link: https://hub.docker.com/r/franbuehler/modsecurity-crs-rp/
  • The next Monthly Community Chat will be held on December 3, 2018, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion. Link: https://owasp.slack.com
    Link: https://github.com/coreruleset/coreruleset/issues/1238
  • CRS developer Felipe Zipitria has volunteered to come up with a proposal to have CRS swag produced via an online print-on-demand shop. Desired items include posters, stickers, buttons, T-Shirts, ideally the full program. Link: https://github.com/OWASP/owasp-swag

Important pull requests in the queue

Join us on the OWASP Slack!

Are you interested in hanging out with the CRS developers? Giving your input on CRS development issues? Chatting about the wonderful world of WAFs? Then this is your chance!

At OWASP AppSecEU 2018, we have started the #coreruleset channel in the OWASP Slack.

This has turned out to be a good place for exchanging ideas and working together in real time. So, we’ve settled in and we invite anyone to join us there.

CRS Project News September 2018

We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project.

The most important news is the publication of the release candidate 1 for CRS 3.1.

What has happened in recent weeks

Significant pull requests that were merged

  • Development has been shifted to the new 3.2 branch, that has been declared master
  • Walter Hop contributed 2 new strings to the list of Java Struts namespaces for use in the new 944130 rule
    Link: https://github.com/coreruleset/coreruleset/pull/1177
  • Other than that, everybody is waiting for new issues popping up with the 3.1-RC release but it has been quiet on that front so far.

Things that are meant to happen in the coming weeks

  • We plan to release CRS 3.1 in October unless we see any road blockers.
  • There is a strange bug that a PL2 rule among the new Java rules in CRS 3.1-RC1 triggers. If it is a bug, it’s rather a ModSecurity bug, but it’s completely unclear how this is happening as reproduction has been very cumbersome so far. What is clear it happens in connection with chunked transfer encoding of JSON payloads at PL2 and higher. So it is a rather peculiar situation that is relatively rare.
    Link: https://github.com/coreruleset/coreruleset/issues/1185

Important pull requests in the queue

Some Thoughts on why Web Application Firewalls Really Make a Difference

This is a guest piece by Jamie Riden / @pedantic_hacker. Jamie has been doing penetration tests, secure development training and security code review since 2010 - and other kinds of computer-wrangling for much, much longer.

Having been a systems engineer, a coder and now a pen-tester, I’d like to take a brief moment of your time to talk about layered defenses; specifically in this case why running a web application firewall is a good idea. In my current job I get engaged to do various forms of pen-testing. Relatively often, we turn up something in a web application that could have been prevented in a couple of ways. Last week for example, I found a lovely old-school OS command injection bug in a single parameter of a reasonable-sized website.