This year, the OWASP ModSecurity Core Rule Set for the second time took part in the Google Summer of Code initiative. Google Summer of Code (GSoC) is a global online program focused on bringing new contributors into open-source software development. GSoC contributors work with an open-source organization of their choice on a 12+ week programming …
Many CRS users have probably read Trustwave's recent announcement about the new version of libmodsecurity3 (aka ModSecurity v3) and the reason for the release: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ The new version of the WAF library fixes a CVE described issue, namely: "DoS Vulnerability in Four Transformations". We would like to draw the attention of all CRS users who …
libmodsecurity3 CVE-2023-38285 affecting CRS users Read More »
The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For downloads and installation instructions, please refer to the Installation page. This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and …
The OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of multiple HTTP "Content-Type" header fields. As a result, on some platforms, it is possible to cause a CRS installation to process an HTTP request body differently (because of the different Content-Type) to how it would be processed by a backend web …
The OWASP ModSecurity Core Rule Set project has opened a YouTube channel. Here we plan to gather all videos that are relevant to the project. In the meantime, feel free to contact us if you think you have fitting content. And don’t forget to give a thumbs up to the videos and subscribe to the …
OWASP CRS is the dominant open source web application firewall (WAF) rule set that powers countless servers, commercial WAFs and runs on many CDNs and cloud platforms. Yahoo and Intigriti helped OWASP CRS organize a three week bug bounty program in Spring 2022. A well prepared earlier attempt had not given any results, literally zero …
What we learnt from our bug bounty program: It’s not for the faint of heart Read More »
Question: What do programmers, security specialists and other IT nerds do on Valentine's Day? Answer: they get together for the CRS Community Summit in Ireland. As in previous years, we used the OWASP Global AppSec Conference, which this year was held in Ireland's capital, as an opportunity to call for our Community Summit on February …
A brief report on the CRS Community Summit 2023. Read More »
Team82 has published an exciting research article about bypassing web application firewalls using a specific SQL syntax that uses JSON. More information about their research can be found here. An example payload described by Team82 could be: The OWASP Core Rule Set is blocking all payloads reported by Team82 at paranoia level 2 basically just …
We're excited to announce a new partnership with Edgio, a leading provider of edge security solutions, that was formed by the combination of Limelight and Edgecast. Edgio is a trusted partner for organizations looking to protect their digital assets. Its holistic suite of security solutions protects the confidentiality, integrity and availability of web applications and …
On February 14, the CRS community will meet at the Dublin Convention Center for the 2023 CRS Community Summit, the first summit after the pandemic. REGISTRATION It has been a while since last we met and many things have happened since. So, there is a lot to talk about. We start at 9 am local …
Registration for the OWASP CRS Community Summit 2023 – Dublin, Feb 14 Read More »