[Owasp-modsecurity-core-rule-set] Submit a change in the CRS

Jamie Riden jamie.riden at gmail.com
Sun Jul 19 14:52:38 UTC 2015

I certainly wouldn't say it was a vulnerability in CRS, but I have
seen apps which logged User-Agent to a file and then in the admin
section of the site wrote it straight to the page. Equally I've seen
people do the same thing, but inserting User-Agent into a table in a
manner vulnerable to SQL injection.

However, the kind of people who do these things are not the same kind
of people who install mod_security and CRS, so it's debatable if it
would really help anyone by being changed in CRS.


On 19 July 2015 at 15:34, Chaim Sanders <CSanders at trustwave.com> wrote:
> Try not to be an alarmist by calling it a vulnerability. It is a protection
> that is simply not offered because most people don’t end up reflecting user
> agents onto their page, for pretty obvious reasons. That being said you are
> fully encouraged to develop protections for this if you feel it to be an
> oversight. If you don’t know how to do this I am more then willing to work
> offline to help you accomplish this goal. In general you would modify a rule
> present in the XSS section to include Request_Headers:User-Agent.
> (https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/rules/REQUEST-41-APPLICATION-ATTACK-XSS.conf).
> Within this config file we have accumulated a number of different XSS
> filters over time. Feel free to identify which ones make the most sense for
> where your protection should be placed and add it. You can then issue a push
> request adding this feature as we use github for version control.
> From: Michele Roviello <micheleroviello at gmail.com>
> Date: Sunday, July 19, 2015 at 5:34 AM
> To: "owasp-modsecurity-core-rule-set at lists.owasp.org"
> <owasp-modsecurity-core-rule-set at lists.owasp.org>
> Subject: [Owasp-modsecurity-core-rule-set] Submit a change in the CRS
> Hello,
> I have found a vulnerability in the CRS, I discussed it in a previous mail
> and they suggested me to submit the protection to this issue.
> Can someone tell me what I should I do to submit a change in the CRS?
> Thank you for your help
> Michele Roviello
> ________________________________
> This transmission may contain information that is privileged, confidential,
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is strictly prohibited. If you received this transmission
> in error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format.
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Jamie Riden / jamie at honeynet.org / jamie.riden at gmail.com

More information about the Owasp-modsecurity-core-rule-set mailing list