ModSecurity – OWASP ModSecurity Core Rule Set

The CRS Plugin Mechanism

By Christian Folini / January 12, 2022

Plugins are not part of the CRS 3.3.x release line. They will be released officially with the next major CRS release 4.x. In the meantime, you can use them with one of the stable releases by following the instructions below. What are Plugins? Plugins are sets of additional rules that you can plug in to …

The CRS Plugin Mechanism Read More »

Disabling Request Body Access in ModSecurity 3 Leads to Complete Bypass

By Christian Folini / March 2, 2021

If you are running ModSecurity 3 with request body access disabled, then I have some bad news. Please sit down, this will be a while. If you are running ModSecurity 2, or you give the engine access to the request body, then you are not affected. But maybe you want to read this post nevertheless. …

Disabling Request Body Access in ModSecurity 3 Leads to Complete Bypass Read More »

CVE-2020-15598 – ModSecurity v3 Affected By DoS (Severity HIGH)

By Christian Folini / September 14, 2020

The OWASP ModSecurity Core Rule Set (CRS) team has identified a Denial of Service vulnerability in the underlying ModSecurity engine. This affects all releases in the ModSecurity v3 release line. The vendor Trustwave Spiderlabs did not release an update yet. However, we are providing users with a patch for ModSecurity and a workaround if they …

CVE-2020-15598 – ModSecurity v3 Affected By DoS (Severity HIGH) Read More »

CVE-2019-19886 – HIGH – DoS against libModSecurity 3

By Christian Folini / January 18, 2020

The ModSecurity 3.0.x release line suffers from a Denial of Service vulnerability after triggering a segmentation fault on the webserver when parsing a malformed cookie header. All users of ModSecurity 3.0.0 - 3.0.3 should update to ModSecurity 3.0.4 as soon as possible. ModSecurity 2.x is not affected. The CVSS score for the vulnerability is 7.5 …

CVE-2019-19886 – HIGH – DoS against libModSecurity 3 Read More »

Core Rule Set Project Won a German OSBAR Award!

By Christian Folini / December 7, 2017

The OWASP ModSecurity Core Rule Set Project is very excited about winning one of the OSBAR awards of the German Open Source Business Alliance. The prize is awarded to projects, start-ups and outstanding ideas from the open source environment. The increased attention should make it easier for the award winners to attract users, developers and …

Core Rule Set Project Won a German OSBAR Award! Read More »

The Top 5 Ways CRS Can Help You Fight the OWASP Top 10

By Christian Folini / November 21, 2017

The new edition OWASP Top Ten list mentions ModSecurity and the OWASP ModSecurity Core Rule Set for the first time. Let me explain you what the Core Rule Set does and how it can help you protect your services from these risks. The CRS - short for OWASP ModSecurity Core Rule Set - is a …

The Top 5 Ways CRS Can Help You Fight the OWASP Top 10 Read More »