[Owasp-modsecurity-core-rule-set] Announcing release of OWASP ModSecurity CRS v2.2.3

Ryan Barnett RBarnett at trustwave.com
Mon Dec 19 21:46:28 UTC 2011

The SpiderLabs Research Team is pleased to announce the ModSecurity OWASP Core Rule Set<https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project>v2.2.3 release.  You can download the TAR/GZ or ZIP archive here<https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/>.

There are a few significant updates, most notably:

 *   We have added more application defect checks based largely on the Watcher tool by Casaba Security<http://websecuritytool.codeplex.com/wikipage?title=Checks> which is used for passive vulnerability assessments.
 *   SpiderLabs Consultant Andrew Wilson identified a potential evasion issue if the client specifies an abnormal/unexpected Content-Type request header.  In some cases, the application may disregard the data specified by the Content-Type header and process the request body data normally, however, ModSecurity would no inspect the payload.  We have addressed this issue by updating an existing rule that will dynamically force the population of the REQUEST_BODY variable if an unexpected Content-Type is used.


Version 2.2.3 - 12/19/2011

- Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file
- Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
- Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file

Bug Fixes:
- Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to
  rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs).
- Updated the regex and added tags for RFI rules.

Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs
OWASP ModSecurity CRS Project Lead

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Owasp-modsecurity-core-rule-set mailing list