This is the CRS newsletter covering the period from Early September until today. We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants: dune73 fzipi csanders franbuehler lifeforms emphazer fgs squared spartantri ossie buddyleer During the chat we discussed the following We will be moving …
The Core Rule Set project (CRS for short) has been nominated for the Swiss DINAcon Awards. I do not think any of you understand what awards I am talking about, so let me explain. It is hard to promote Open Source Software in Switzerland. This is not necessarily different from any other place, but let's …
This week we saw the release of another named vulnerability (-_-). This time it was entitled: Optionsbleed. While the name provided is meant in reference to Heartbleed, this vulnerability isn't nearly as far reaching. The vulnerability only affected Apache hosts with a very particular configuration and as a result only 0.0466% of the Alexa top …
A little background Last month we announced the general availability of the Framework for Testing WAFs (FTW) version 1.0. You can read the whole post here, But this is only the beginning of the story. With the release of OWASP CRS v3.0 we started integrating a more agile, test driven development methodology that we believe …
When I looked into my inbox lately, I found a very kind message where a new user asked how he could support the project. He had listened to a clip on the OWASP 24/7 podcast, got really excited and was now installing CRS3. I responded with a fairly lengthy message covering all the areas where …
This is the CRS newslettering covering the period from mid August until today. What has happened during the last few weeks: We held our community chat last Monday. Chaim was high in the air so we were only six of us, but Manuel was back so I get the feeling we are slowly growing the …
Hi, I’m a newcomer to the ModSecurity community and am currently learning about how ModSecurity works with the Core Rule Set and can be used to perform “Virtual Patches” against vulnerable web applications. I have learnt lots reading the rules in the CRS and reading the ModSecurity Handbook written by Christian Folini and Ivan Ristić. …
This is the CRS newsletter covering the period from July until today. What has happened during the last few weeks: We held our community chat last Monday. We have been eight people including Manuel Spartan who participated on the development of the paranoia mode. The big topic was disassembly of the optimized regular expressions that …
The OWASP Project maintains an open source set of rules known as the the OWASP Core Rule Set (CRS). The CRS implements protections for the well known, broad classes of web application vulnerabilities identified by OWASP. Over time, this set of rules has become the most popular ruleset for ModSecurity and also found its way …
Trustwave has released ModSecurity version 2.9.2. This is an important update for users of the Core Rule Set. To detect SQL and XSS injections, CRS relies in part on the libinjection library by Nick Galbreath. This library is bundled with ModSecurity. It is regularly updated to address new types of injections. Therefore, to have optimal …