The ModSecurity 3.0.x release line suffers from a Denial of Service vulnerability after triggering a segmentation fault on the webserver when parsing a malformed cookie header. All users of ModSecurity 3.0.0 – 3.0.3 should update to ModSecurity 3.0.4 as soon as possible. ModSecurity 2.x is not affected. The CVSS score for the vulnerability is 7.5 …
CVE-2019-19886 – HIGH – DoS against libModSecurity 3 Read More »
It’s been a while since the last CRS project news. It’s not because there was nothing to report. It’s more like too much going on and no time to sit back and write it all down. Here are the most important things that happened since the last edition: ModSecurity 3.0.4 has been released for NGINX. …
Earlier today, Gareth Heyes presented a very interesting talk with dozens of new XSS payloads at the OWASP GlobalAppSec conference in Amsterdam. The CRS developers in the audience immediately started to try out the payloads, but Gareth was so quick they lost track… But being the helpful person he is, he published the slides during …
Running a few dozens of new magic XSS payloads against CRS 3.2 Read More »
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of the OWASP ModSecurity Core Rule Set Version 3.2.0. The new release is available for download at https://coreruleset.org/installation/ This release represents a very big step forward in terms of both capabilities and protections including: Improved compatibility with ModSecurity 3.x Improved CRS …
Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0 Read More »
How could the functionality of a WAF be better demonstrated than with a vulnerable web application? In this blog post I introduce Pixi, an intentionally vulnerable web application by the OWASP project DevSlop. I show its known vulnerabilities and examine how the CRS protects against these vulnerabilities. What is Pixi? Pixi is a deliberately vulnerable …
How the CRS protects the vulnerable web application Pixi by OWASP DevSlop Read More »
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.zip https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.tar.gz This release represents a very big step forward in terms of both capabilities and protections including: Improved compatibility with ModSecurity 3.x Improved CRS docker …
Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0-RC2 Read More »
As many of you have noticed, the Core Rule Set contains very complex regular expressions. See for example rule 942480: (?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|… These regular expressions are assembled from a list of simpler regular expressions for efficiency reasons. See regexp-942480.data for the source expressions which were combined to form this expression. A single optimized regular expression test …
Life is interfering and the rhythm of the CRS news is not what I would like it to be. Three months since the last edition. But the advantage is of course, that there are more news to talk about once I get to write it all up. What has happened in recent weeks The OWASP …
The OWASP ModSecurity Core Rule Set team is pleased to announce the CRS release v3.1.1. This is a minor release fixing a Regular Expression Denial of Service weakness (CVE-2019-11387) as well as some minor bugs and false positives. The CVE is only affecting users of the libModSecurity 3 release line and only under special circumstances. …
Announcement: OWASP ModSecurity Core Rule Set Version 3.1.1 Read More »
We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go. What has happened in recent weeks Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well …