[Owasp-modsecurity-core-rule-set] Some XSS evasions posted (and some thoughts why ModSec Core Rules users were hit on day 0)

Christian Folini christian.folini at time-machine.ch
Thu Sep 17 08:35:44 UTC 2015


Chaim,

Having read your report, I got in touch with the author of the said
report, mazin at mazinahmed.net, myself. He replied immediately.

I do not want to quote him, but his message boils down to Trustwave
responding to him with the information that Ryan has left Trustwave 
and that his successor will work on the findings.

We'll have to take this with a grain of salt, but honestly, 
transparency and responsibilities in ModSec and the Core Rules
project is a bit lacking from my point of view. I have no doubt things 
are very clear for you guys working at Trustwave; and it is likely all
the information is somewhere to be found. But what I would appreciate
a more moderation and an easier way to find the things you need.

Examples:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
seems to be the website of the Core Rules. At least it is the number one
hit I get on google and duckduckgo.

It lists:
Project Leader: Ryan Barnett
Contributors:
    Josh Zlatin
    Roberto Salgado
    Ashar Javed (@soaj1664ashar)

But _you_ are not mentioned. Still you seem to handle things as this.
Do you have any authority to speak on behalf of the project? Is Ryan
still around in the project? Why was there no farewell message?

What is dearly missing is an email address to report security issues with the
Core Rules. I mean that would be the address I would be looking for
if I were a responsible security researcher with an exploit in my hands.

When you take the link to Github, you land on a repository with 
the last commit two years old. If you read the mailinglists you will
find, the development is actually happening, but it's now in the 3.0.0 branch
(where the last commit is 4 months old). Ryan forked the 3.0.0 branch in 2012, 
but it was first mentioned in the core rules mailinglist in July 2015. It's
probably my fault I did not check if there were any interesting branches
with the core rules in the meantime, but things would really be easier
if things would be more transparent.

I do not want to do fingerpointing. Even if it may seem so. I want to
make clear how things look from the outside for users as me, let alone someone 
new to ModSec or the Core Rules. Both are great projects and they could 
be better still (and actually attract contributions) if they were more 
accessible and transparent.

Best regards,

Christian


On Tue, Sep 15, 2015 at 01:23:18PM +0000, Chaim Sanders wrote:
> As far as I am aware we have not received anything. It certainly didn¹t go
> to this mailing list and I don¹t recall anything on
> security at modsecurity.org. I am be preparing a blog post where we analysis
> these attacks as we speak. Be on the lookout for it :)
> 
> On 9/15/15, 12:03 AM,
> "owasp-modsecurity-core-rule-set-bounces at lists.owasp.org on behalf of
> Christian Folini" <owasp-modsecurity-core-rule-set-bounces at lists.owasp.org
> on behalf of christian.folini at time-machine.ch> wrote:
> 
> >Good morning,
> >
> >What is funny about the paper is, that he lists contact with all
> >the other vendors and how they reacted to his responsible
> >disclosure, but this is missing for ModSec.
> >
> >Has there been no contact / no interest to patch in due time?
> >
> >Ahoj,
> >
> >Christian
> >
> >
> >--
> >It's easier to ask forgiveness, than it is to get permission.
> >-- Radm Grace Hopper, aka Amazing Grace
> >
> >_______________________________________________
> >Owasp-modsecurity-core-rule-set mailing list
> >Owasp-modsecurity-core-rule-set at lists.owasp.org
> >http://scanmail.trustwave.com/?c=4062&d=vp331TYeSJtl4OUFeRwH_d8xwpzKptjDeB
> >Wj6-tsnQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow
> >asp-modsecurity-core-rule-set
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

-- 
Christian Folini
Ringstrasse 2
CH-3639 Kiesen
+41 (0)31 301 60 71 (H)
+41 (0)79 220 23 76 (M)
mailto:christian.folini at netnea.com (Business)
mailto:christian.folini at time-machine.ch (Private)
http://www.christian-folini.ch



More information about the Owasp-modsecurity-core-rule-set mailing list