[Owasp-leaders] [Owasp-modsecurity-core-rule-set] Announcing CRS v2.0.7

Ryan Barnett ryan.barnett at breach.com
Fri Jun 4 15:28:17 EDT 2010


Hello OWASP Leaders.  I wanted to let you all know that a new version of the OWASP 
ModSecurity Core Rule Set (CRS) is now available (v2.0.7).

There are some interesting updates, most notably -

1) The new CSRF protection ruleset.
The ruleset uses ModSecurity's Content Injection capabilities to append an updated version 
of the csrf.js file from the OWASP CSRFGuard Project 
(http://code.google.com/p/owaspcsrfguard/source/browse/trunk/main/OWASP-
CSRFGuard/src/org/owasp/csrfguard/handlers/csrf.js) to the end of the response data.  
ModSecurity generates the CSRF token and inserts it into the JS data and then validates it 
on subsequent requests.

The advantage of using ModSecurity for this is if you are running it on an Apache reverse 
proxy, then you add in CSRF tokens to any back-end web app regardless of the language.

A call for assistance - the csrf.js code works well however it should probably be extended 
to handle AJAX calles, etc...  If there are any JS ninjas who want to tackle updating the 
JS code to perhaps add the csrf tokens using OnSubmit or something, let me know.

2) App Defect Rule - Missing HTTPOnly flags
One ruleset will identify if the HTTPOnly flag is missing when the app hands out Set-Cookie 
SessionIDs.  It can optionally fix the issue by passing ENV data to Apache which will 
append the HTTPOnly flag through a ResponseHeader directive.

3) App Defect Rule - Missing Output Escaping of User-Supplied Data
This is an interesting concept where we are attempting to do some crude Dynamic Taint 
Propagation tracking related to XSS/Missing Output Escaping.  As opposed to trying to 
identify and block potential XSS payloads on the inbound, we are instead focusing in on 
the underlying vuln - resources that don't properly track user-supplied data and 
encode/escape it when given back to clients.

The ruleset basically looks for inbound data that contains meta-characters that are often 
used in XSS attacks (<,>,/, etc...) and then it stores the entire parameter data in a 
temporary variable and then inspects the response body to see if the same exact payload is 
present.  If it is, then the app is not properly escaping it.  This ruleset works in 
limited testing but I am interested to see how it fairs once the ModSecurity community 
starts testing it out :)

Please let me know if anyone has any questions, comments or would like to help out with 
future CRS efforts.

Cheers.

--
Ryan C. Barnett
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
http://tacticalwebappsec.blogspot.com

On Friday 04 June 2010 14:51:24 Ryan Barnett wrote:
> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pro
> ject#tab=Download
> 
> This update has a number of improvements, most notably the inclusion of new
> experimental protection rules for CSRF and Application Defects (missing
> HTTPOnly flag and identifying apps that are not properly output
> encoding/escaping user-supplied data). See my previous Blackhat presos for
> more info -
> 
> http://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html#Barnett
> 
> Note that this release includes the rules-updater.pl script in the /util
> directory and we have activated the CRS rules repository on the
> www.modsecurity.org site so you can now auto-download the rules. Read the
> README file in the /util directory for usage info.
> 
> --------------------------
> 
> Version 2.0.7 - 06/4/2010
> 
> --------------------------
> 
> Improvements:
> 
> - Added CSRF Protection Ruleset which will use Content Injection to add
> javascript to
> 
> specific outbound data and then validate the csrf token on subsequent
> requests.
> 
> - Added new Application Defect Ruleset which will identify/fix missing
> HTTPOnly cookie
> 
> flags
> 
> - Added Experimental XSS/Missing Output Escaping Ruleset which looks for
> user supplied
> 
> data being echoed back to user unchanged.
> 
> - Added rules-updater.pl script and configuration file to allow users to
> automatically
> 
> download CRS rules from the CRS rules repository.
> 
> - Added new SQLi keyword for ciel() and reverse() functions.
> 
> - Updated the PHPIDS filters
> 
> Bug Fixes:
> 
> - Fixed false positives for Request Header Name matching in the 30 file by
> 
> adding boundary characters.
> 
> - Added missing pass actions to @pmFromFile prequalifier rules
> 
> - Added backslash to SQLi regex
> 
> https://www.modsecurity.org/tracker/browse/CORERULES-41
> 
> - Fixed hard coded anomaly score in PHPIDS filter file
> 
> https://www.modsecurity.org/tracker/browse/CORERULES-45
> 
> - Fixed restricted_extension false positive by adding boundary characters
> 
> --
> 
> Ryan C. Barnett
> 
> WASC Web Hacking Incident Database Project Leader
> 
> WASC Distributed Open Proxy Honeypot Project Leader
> 
> OWASP ModSecurity Core Rule Set Project Leader
> 
> http://tacticalwebappsec.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100604/d05e336e/attachment.html 


More information about the OWASP-Leaders mailing list