[Owasp-leaders] [Owasp-modsecurity-core-rule-set] Announcing CRS v2.0.7
ryan.barnett at breach.com
Fri Jun 4 15:28:17 EDT 2010
Hello OWASP Leaders. I wanted to let you all know that a new version of the OWASP
ModSecurity Core Rule Set (CRS) is now available (v2.0.7).
There are some interesting updates, most notably -
1) The new CSRF protection ruleset.
The ruleset uses ModSecurity's Content Injection capabilities to append an updated version
of the csrf.js file from the OWASP CSRFGuard Project
CSRFGuard/src/org/owasp/csrfguard/handlers/csrf.js) to the end of the response data.
ModSecurity generates the CSRF token and inserts it into the JS data and then validates it
on subsequent requests.
The advantage of using ModSecurity for this is if you are running it on an Apache reverse
proxy, then you add in CSRF tokens to any back-end web app regardless of the language.
A call for assistance - the csrf.js code works well however it should probably be extended
to handle AJAX calles, etc... If there are any JS ninjas who want to tackle updating the
JS code to perhaps add the csrf tokens using OnSubmit or something, let me know.
2) App Defect Rule - Missing HTTPOnly flags
One ruleset will identify if the HTTPOnly flag is missing when the app hands out Set-Cookie
SessionIDs. It can optionally fix the issue by passing ENV data to Apache which will
append the HTTPOnly flag through a ResponseHeader directive.
3) App Defect Rule - Missing Output Escaping of User-Supplied Data
This is an interesting concept where we are attempting to do some crude Dynamic Taint
Propagation tracking related to XSS/Missing Output Escaping. As opposed to trying to
identify and block potential XSS payloads on the inbound, we are instead focusing in on
the underlying vuln - resources that don't properly track user-supplied data and
encode/escape it when given back to clients.
The ruleset basically looks for inbound data that contains meta-characters that are often
used in XSS attacks (<,>,/, etc...) and then it stores the entire parameter data in a
temporary variable and then inspects the response body to see if the same exact payload is
present. If it is, then the app is not properly escaping it. This ruleset works in
limited testing but I am interested to see how it fairs once the ModSecurity community
starts testing it out :)
Please let me know if anyone has any questions, comments or would like to help out with
future CRS efforts.
Ryan C. Barnett
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
On Friday 04 June 2010 14:51:24 Ryan Barnett wrote:
> This update has a number of improvements, most notably the inclusion of new
> experimental protection rules for CSRF and Application Defects (missing
> HTTPOnly flag and identifying apps that are not properly output
> encoding/escaping user-supplied data). See my previous Blackhat presos for
> more info -
> Note that this release includes the rules-updater.pl script in the /util
> directory and we have activated the CRS rules repository on the
> www.modsecurity.org site so you can now auto-download the rules. Read the
> README file in the /util directory for usage info.
> Version 2.0.7 - 06/4/2010
> - Added CSRF Protection Ruleset which will use Content Injection to add
> specific outbound data and then validate the csrf token on subsequent
> - Added new Application Defect Ruleset which will identify/fix missing
> HTTPOnly cookie
> - Added Experimental XSS/Missing Output Escaping Ruleset which looks for
> user supplied
> data being echoed back to user unchanged.
> - Added rules-updater.pl script and configuration file to allow users to
> download CRS rules from the CRS rules repository.
> - Added new SQLi keyword for ciel() and reverse() functions.
> - Updated the PHPIDS filters
> Bug Fixes:
> - Fixed false positives for Request Header Name matching in the 30 file by
> adding boundary characters.
> - Added missing pass actions to @pmFromFile prequalifier rules
> - Added backslash to SQLi regex
> - Fixed hard coded anomaly score in PHPIDS filter file
> - Fixed restricted_extension false positive by adding boundary characters
> Ryan C. Barnett
> WASC Web Hacking Incident Database Project Leader
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders