[Owasp-modsecurity-core-rule-set] Some XSS evasions posted (and some thoughts why ModSec Core Rules users were hit on day 0)

Ryan Barnett ryan.barnett at owasp.org
Thu Sep 17 12:39:46 UTC 2015


Christian,
You bring up many valid points and I thank you for pushing on these.  Here are some responses -
First and foremost – both ModSecurity itself and the OWASP ModSecurity Core Rule Set (CRS) are open source projects.  Trustwave does not own either of them.  The only thing that Trustwave owns in the “ModSecurity” trademark name.  The projects are Apache ASLv2 licensed.  These project will live and (hopefullly not) die dependent upon the community support.  The support that Trustwave gave to these projects over the years has been a double-edged sword in some respects.  Yes, we were allocated commercial work time to invest in these projects as they have commercial ModSecurity offerings to support ModSecurity.  This support, however, gave the appearance to the community that Trustwave would do all the work and that the community could basically just send emails or open issue tickets and wait for things to get fixed by SpiderLabs.  This misconception, I feel, has truly limited ModSecurity from fully blossoming into a vibrant open source community.
Speaking of me personally, as many of you know, I moved on from Trustwave Spiderlabs and joined the Akamai Threat Research Team where I now provide research for our cloud security products (including Kona WAF).  Referring to my previous point – just because I switched jobs/companies does not preclude me from still working on these projects.  I am still the OWASP ModSecurity CRS Project Leader.  Not having Chaim listed on the OWASP Project page was an oversight and is now corrected (thanks for pointing that out).  The issue we have had in releasing these updates has mainly been because we have all been swamped with work from our day-jobs.  This is where having a real community driven project helps as there aren’t any bottle-necks to slow things down.  Community members can fork the CRS repo, update and initiate PULL requests and we can all move on.  To date, however, this workflow has not really blossomed.
As for security researchers responsibly reporting issues – we have a number of places that list how to contact the team -
http://www.modsecurity.org/help.html
SecurityWe take security very seriously! If you need to report a security problem please write to security/modsecurity.org
Hope this info helps.

Ryan



From:  <owasp-modsecurity-core-rule-set-bounces at lists.owasp.org> on behalf of Christian Folini
Date:  Thursday, September 17, 2015 at 4:35 AM
To:  Chaim Sanders
Cc:  "owasp-modsecurity-core-rule-set at lists.owasp.org"
Subject:  Re: [Owasp-modsecurity-core-rule-set] Some XSS evasions posted (and some thoughts why ModSec Core Rules users were hit on day 0)

Chaim,

Having read your report, I got in touch with the author of the said
report, mazin at mazinahmed.net, myself. He replied immediately.

I do not want to quote him, but his message boils down to Trustwave
responding to him with the information that Ryan has left Trustwave 
and that his successor will work on the findings.

We'll have to take this with a grain of salt, but honestly, 
transparency and responsibilities in ModSec and the Core Rules
project is a bit lacking from my point of view. I have no doubt things 
are very clear for you guys working at Trustwave; and it is likely all
the information is somewhere to be found. But what I would appreciate
a more moderation and an easier way to find the things you need.

Examples:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
seems to be the website of the Core Rules. At least it is the number one
hit I get on google and duckduckgo.

It lists:
Project Leader: Ryan Barnett
Contributors:
    Josh Zlatin
    Roberto Salgado
    Ashar Javed (@soaj1664ashar)

But _you_ are not mentioned. Still you seem to handle things as this.
Do you have any authority to speak on behalf of the project? Is Ryan
still around in the project? Why was there no farewell message?

What is dearly missing is an email address to report security issues with the
Core Rules. I mean that would be the address I would be looking for
if I were a responsible security researcher with an exploit in my hands.

When you take the link to Github, you land on a repository with 
the last commit two years old. If you read the mailinglists you will
find, the development is actually happening, but it's now in the 3.0.0 branch
(where the last commit is 4 months old). Ryan forked the 3.0.0 branch in 2012, 
but it was first mentioned in the core rules mailinglist in July 2015. It's
probably my fault I did not check if there were any interesting branches
with the core rules in the meantime, but things would really be easier
if things would be more transparent.

I do not want to do fingerpointing. Even if it may seem so. I want to
make clear how things look from the outside for users as me, let alone someone 
new to ModSec or the Core Rules. Both are great projects and they could 
be better still (and actually attract contributions) if they were more 
accessible and transparent.

Best regards,

Christian


On Tue, Sep 15, 2015 at 01:23:18PM +0000, Chaim Sanders wrote:
 As far as I am aware we have not received anything. It certainly didn¹t go
 to this mailing list and I don¹t recall anything on
 security at modsecurity.org. I am be preparing a blog post where we analysis
 these attacks as we speak. Be on the lookout for it :)
 
 On 9/15/15, 12:03 AM,
 "owasp-modsecurity-core-rule-set-bounces at lists.owasp.org on behalf of
 Christian Folini" <owasp-modsecurity-core-rule-set-bounces at lists.owasp.org
 on behalf of christian.folini at time-machine.ch> wrote:
 
 >Good morning,
 >
 >What is funny about the paper is, that he lists contact with all
 >the other vendors and how they reacted to his responsible
 >disclosure, but this is missing for ModSec.
 >
 >Has there been no contact / no interest to patch in due time?
 >
 >Ahoj,
 >
 >Christian
 >
 >
 >--
 >It's easier to ask forgiveness, than it is to get permission.
 >-- Radm Grace Hopper, aka Amazing Grace
 >
 >_______________________________________________
 >Owasp-modsecurity-core-rule-set mailing list
 >Owasp-modsecurity-core-rule-set at lists.owasp.org
 >http://scanmail.trustwave.com/?c=4062&d=vp331TYeSJtl4OUFeRwH_d8xwpzKptjDeB
 >Wj6-tsnQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow
 >asp-modsecurity-core-rule-set
 
 
 ________________________________
 
 This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

-- 
Christian Folini
Ringstrasse 2
CH-3639 Kiesen
+41 (0)31 301 60 71 (H)
+41 (0)79 220 23 76 (M)
mailto:christian.folini at netnea.com (Business)
mailto:christian.folini at time-machine.ch (Private)
http://www.christian-folini.ch

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150917/4d49e835/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list