Blog – Page 2 – OWASP ModSecurity Core Rule Set

How the CRS protects the vulnerable web application Pixi by OWASP DevSlop

By Franziska Buehler / September 9, 2019 September 12, 2019

How could the functionality of a WAF be better demonstrated than with a vulnerable web application? In this blog post I introduce Pixi, an intentionally vulnerable web application by the OWASP project DevSlop. I show its known vulnerabilities and examine how the CRS protects against these vulnerabilities. What is Pixi? Pixi is a deliberately vulnerable …

How the CRS protects the vulnerable web application Pixi by OWASP DevSlop Read More »

Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0-RC2

By Walter Hop / September 3, 2019 September 3, 2019

The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.zip https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.tar.gz This release represents a very big step forward in terms of both capabilities and protections including: Improved compatibility with ModSecurity 3.x Improved CRS docker …

Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0-RC2 Read More »

How the CRS optimizes regular expressions

By Walter Hop / August 26, 2019 August 26, 2019

As many of you have noticed, the Core Rule Set contains very complex regular expressions. See for example rule 942480: (?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|… These regular expressions are assembled from a list of simpler regular expressions for efficiency reasons. See regexp-942480.data for the source expressions which were combined to form this expression. A single optimized regular expression test …

How the CRS optimizes regular expressions Read More »

CRS Project News August 2019

By Christian Folini / August 7, 2019 August 9, 2019

Life is interfering and the rhythm of the CRS news is not what I would like it to be. Three months since the last edition. But the advantage is of course, that there are more news to talk about once I get to write it all up. What has happened in recent weeks The OWASP …

CRS Project News August 2019 Read More »

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1

By Christian Folini / June 27, 2019 August 7, 2019

The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.1.1. This is a minor release fixing a Regular Expression Denial of Service weakness (CVE-2019-11387) as well as some minor bugs and false positives. The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. …

Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1 Read More »

CRS Project News May 2019

By Christian Folini / May 1, 2019 May 2, 2019

We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go. What has happened in recent weeks Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well …

CRS Project News May 2019 Read More »

Regular Expression DoS weaknesses in CRS

By Christian Folini / April 25, 2019 April 25, 2019

Somdev Sangwan has discovered several Regular Expression Denial of Service (ReDoS) weaknesses in the rules provided by the CRS project. They are listed under the following CVEs: CVE-2019–11387 CVE-2019–11388 CVE-2019–11389 CVE-2019–11390 CVE-2019–11391 The fact that CRS is affected by ReDoS is not particularly surprising and truth be told, we knew that was the case. We …

Regular Expression DoS weaknesses in CRS Read More »

CRS Project News January 2019

By Christian Folini / January 24, 2019 January 25, 2019

We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU). What has happened in recent weeks We have reached 1500 stars …

CRS Project News January 2019 Read More »

CRS Project News December 2018

By Christian Folini / December 26, 2018 December 26, 2018

I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection. What has happened in recent weeks CRS 3.1 has been released bringing new rules to detect Java injections and …

CRS Project News December 2018 Read More »

Core Rule Set Docker Image

By Franziska Buehler / December 12, 2018 December 12, 2018

The Core Rule Set is installed in just four steps, as described in the Installation Guide. Now, it’s even easier using the CRS Docker container. The effort to start the CRS in front of an application is reduced to a few seconds and only one command. Franziska Bühler, one of the CRS developers, enhanced the …

Core Rule Set Docker Image Read More »