Blog

Core Rule Set v4.0.0 Release Candidate 1 available

The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page. CRS 4 contains many important changes, such as: A plugin architecture for extending CRS and minimizing attack …

Core Rule Set v4.0.0 Release Candidate 1 available Read More »

The Case for Early Blocking

Early Blocking is a feature that CRS will deliver with the next major release, probably Spring 2022. You can use it immediately when deploying the latest dev / nightly build. This blog post will explain the feature, how to enable it and why it is very useful. What is Early Blocking? ModSecurity, the engine below …

The Case for Early Blocking Read More »

Comprehensive View of the WAF Market From an Open Source Perspective

The log4j mess allowed everybody to see security shortcomings of the IT industry on a big scale. It also shed light on the shortcomings of the WAF market, a highly contested field with a myriad of commercial players and - well - us, the OWASP ModSecurity Core Rule Set (CRS), the only general purpose open …

Comprehensive View of the WAF Market From an Open Source Perspective Read More »

The CRS Plugin Mechanism

Plugins are not part of the CRS 3.3.x release line. They will be released officially with the next major CRS release 4.x. In the meantime, you can use them with one of the stable releases by following the instructions below. What are Plugins? Plugins are sets of additional rules that you can plug in to …

The CRS Plugin Mechanism Read More »

Public Hunt for log4j / log4shell Evasions / WAF Bypasses

We have been updating our detection for the infamous CVE-2021-44228 vulnerability and its siblings for several days now. With the new experimental rule 1005, we think we really have decent detection capabilities now. Read up on this development in the separate blog post CRS and Log4j / Log4Shell / CVE-2021-44228. Right before the log4j CVE …

Public Hunt for log4j / log4shell Evasions / WAF Bypasses Read More »

CRS and Log4j / Log4Shell / CVE-2021-44228

This is an evolving blog post with infos about the role of CRS in defending against the log4j vulnerabilities that threatens quite all logging JAVA applications. We believe the mitigations and rules suggested below will have you covered up to and including CVE-2021-45105.In January 2022, we have consolidated our knowledge into a pull request with …

CRS and Log4j / Log4Shell / CVE-2021-44228 Read More »