[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: [mod-security-users] Crosspost: News from the Core Rule Set (2017-05-05)
From: Christian Folini <christian.folini () netnea ! com>
Date: 2017-05-05 19:56:46
Message-ID: 20170505195646.gssqt4hdob27eoos () leander
[Download RAW message or body]
Dear all,
This is the CRS newsletter covering the period from April until today.
What has happened during the last few weeks:
- We held our 3rd community chat last Monday. We have been eight people
and we had an extremely efficient meeting. We sorted out a strategy
for the remaining 3.0dev issues and cleared the path for the 3.0.1
release. The next community chats will be held on the following
dates:
- Jun 5, 2017, 20:30 CEST (14:30 EST, 19:30 GMT)
- Jul 3, 2017, 20:30 CEST
- Aug 7, 2017, 20:30 CEST
- Sep 4, 2017, 20:30 CEST
- Oct 2, 2017, 20:30 CEST
- Nov 6, 2017, 20:30 CET
- Dec 4, 2017, 20:30 CET
- There are three open pull requests and three issues keeping us
from releasing 3.0.1. The idea is to clear this during the weekend
and release 3.0.1 on Tuesday, May 9.
- The release policy discussed last month has been described briefly
at:
https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy
- After the release policy last month, we decided on a way to organise
CRS developers. We settled on the following roles
- Project lead
- Core team
- Project contributors with commit permission
- Contributors without commit permission
As you know, Chaim is project lead and he forms the core team with
Walter Hop and me. We also promoted regular contributors Franziska
Bühler and Christoph Hansen to project contributors with commit
permission. There have been more people contributing to CRS 3.0.1
and we hope to work with them so they can eventually be promoted to a
commit permission level.
The idea with the core team is, that every PR needs to be reviewed by
at least one core team member. This also applies to PRs by core team
members: They have to be reviewed by at least one additional
core team member.
- There is general interest to publish more blog posts around CRS
and also additional information. We are working on a useful
platform here.
- Once CRS 3.0.1 is out the door, testing will be formalized and
automated, we will close the very old issues and then start with the
development for 3.1; incorporating new features and new rules.
- Hugo Costa is working on our new logo, but he is also working on
various other tasks for AppSecEU. In the end AppSecEU won and we
have to wait until after the conference.
- The security scanner research project resulted in 13 new issues so
far: false negatives. That is requests which should be blocked but
were not - or at least not on a reasonably low paranoia level.
See all these tickets here:
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues?q=is%3Aissue+is%3Aopen+label%3Azhaw-research-project
The most severe false negative seems to be this payload
which goes undetected at Paranoia Level 3:
userinput=textvalue95920'%3balert(1)%2f%2f153
Obviously, there is a transformation missing before the XSS rule
in question is being executed.
Other findings are not as dangerous, but also much harder to
detect like out-of-band communication, where a request parameter
is passed to nslookup to perform a DNS request.
Upcoming stuff
- CRS 3.0.1 release planned for Tuesday, May 9.
- The CRS meetup at AppSecEU will be rather informal. We were probably
to late to announce it and fairly few people from the community
will be making it. Chaim and I will be at the conference from
Tuesday / Wednesday though. Please get in touch if you are around.
The idea is to hang out together Wednesday night.
- My Core Rule Set 3.0 Intro talk at AppSecEU in Belfast has been
scheduled for Thursday May 11, 4.15pm. Would be cool to see
you.
I will present the first part of the research (Burp vs. CRS3)
at the SIGS Technology Conference in Zurich, May 18, 2017:
www.sig-switzerland.ch/de/technology_conference/
- Next CRS chat: June 5, 2017, 20:30 CEST on Freenode IRC, channel
#modsecurity (14:30 EST, 19:30 GMT)
Ahoj,
Christian
--
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini@netnea.com
twitter: @ChrFolini
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic