The SpiderLabs Research Team is pleased to announce the ModSecurity OWASP Core Rule Set<https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project>v2.2.3 release. You can download the TAR/GZ or ZIP archive here<https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/>.
There are a few significant updates, most notably: * We have added more application defect checks based largely on the Watcher tool by Casaba Security<http://websecuritytool.codeplex.com/wikipage?title=Checks> which is used for passive vulnerability assessments. * SpiderLabs Consultant Andrew Wilson identified a potential evasion issue if the client specifies an abnormal/unexpected Content-Type request header. In some cases, the application may disregard the data specified by the Content-Type header and process the request body data normally, however, ModSecurity would no inspect the payload. We have addressed this issue by updating an existing rule that will dynamically force the population of the REQUEST_BODY variable if an unexpected Content-Type is used. CHANGES -------------------------- Version 2.2.3 - 12/19/2011 -------------------------- Improvements: - Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies - Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file http://websecuritytool.codeplex.com/wikipage?title=Checks#charset - Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file http://websecuritytool.codeplex.com/wikipage?title=Checks#header Bug Fixes: - Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). - Updated the regex and added tags for RFI rules. -- Ryan Barnett Senior Security Researcher Trustwave - SpiderLabs OWASP ModSecurity CRS Project Lead ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
