[Owasp-modsecurity-core-rule-set] Some XSS evasions posted (and some thoughts why ModSec Core Rules users were hit on day 0)

Chaim Sanders CSanders at trustwave.com
Thu Sep 17 16:05:12 UTC 2015


Hey Ryan, We miss you here :).
Christian, I’d like to reiterate what Ryan said and add some points here, although I should note that we are preparing a blog post on the topic of these recent evasions. In practice, the Trustwave team is very small, at this current time it is Felipe and Myself (although the size fluctuates). This means that we must split our time over things like dealing with ModSecurity bug fixes, developing new features for ModSecurity, working on the Core Rule Set, offering commercial support, answering the open source support, developing QA for the project, maintaining servers for the project, posting blogs on complex topics, maintaining information on the project, meetings (for the love of god meetings),  and maintaing the commercial rules that Trustwave offers (I think this is it but there is probably more). This is not meant as an excuse, you will see we’ve been working on some of these areas heavily. As always community support is always invited in the bulk of these areas.

In terms of help. We would LOVE help, and we’re more then willing to give access to repo’s/servers and such for individuals who show a commitment to the project, currently there are a only a limited number of people who frequently comment on the mailing list (yourself included, which we love… in this one case I’d like to call out h.reindl at thelounge.net for his particularly funny replies), let alone committing patches. If you think you would like to help with a particular area, such as updating information on various sites we’re more then happy to help with that and give you access to the desired areas, given that you’ve been around for at least a little bit :-P.

 So what are the future directions of ModSecurity from our perspective…
Well, the most important thing we’re working on right now is ModSecurity v3. Not only are we working on (Felipe has been committing pretty much daily for the past 4 months) it but it is almost ready for release. There are a couple main goals with this platform. The biggest is to deal with reliance that ModSecurity had on Apache (being developed originally for it). v3, also known as libmodsecurity is designed to act as a library with what we call connectors to web servers (that is, connectors will be built as web server modules that talk to the library). This approach should not only make it MUCH easier for new web server support to be added, but also fix a number of issues that have been plaguing ModSecurity regarding nginx support (see the issues list). Currently, the version we have can run 99% of the OWASP CRS 3.x ruleset with the rest expected to be functional within the next couple days.
The second thing we’ve been working on is the ModSecurity dashboard. While this has been in use for a few months, we spent a while focusing on its development. The dashboard allows individuals to maintain which rules get delivered to their ModSecurity instances via an easy to configure dashboard that will automatically push rules to ModSecurity instances by way of the new ‘SecRemoteRules’ directive.
In the backend we’ve also been doing lots of revamping of our testing process. In fact leading up to ModSecurity v3 we’ve created 1000’s of test cases which will finally ground the ModSecurity development process in a solid foundation. Coupled with this we’ve been building out our buildbot infrastructure for monitoring these test both externally (for build control) and internally for performance testing.
Obviously there have been other things from working with organizations to expand how ModSecurity is used across the web with various partners like CPanel and Kemp, to fundamentally changing the structure of the commercial rules we offer to make them more effective.
In closing you are undoubtedly right, we (contributors to ModSecurity) should attempt to communicate better what activities we are undertaking and where work can be directed. We are hoping to promote CRS 3.x to the master branch very soon (for reasons we have listed previously we have not) and also hoping that we can match that timing fairly closely with the general release of v3 (which is only developed for NGINX right now, but is wholly backwards compatible). Perhaps to address this concern each quarter we will start to undertake a 'state of ModSecurity’ e-mail blast. What are your thoughts on how to increase communication?

From: Ryan Barnett <ryan.barnett at owasp.org<mailto:ryan.barnett at owasp.org>>
Date: Thursday, September 17, 2015 at 8:39 AM
To: Christian Folini <christian.folini at time-machine.ch<mailto:christian.folini at time-machine.ch>>, Chaim Sanders <csanders at trustwave.com<mailto:csanders at trustwave.com>>
Cc: "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>" <owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>>, "mod-security-users at lists.sourceforge.net<mailto:mod-security-users at lists.sourceforge.net>" <mod-security-users at lists.sourceforge.net<mailto:mod-security-users at lists.sourceforge.net>>
Subject: Re: [Owasp-modsecurity-core-rule-set] Some XSS evasions posted (and some thoughts why ModSec Core Rules users were hit on day 0)

Christian,
You bring up many valid points and I thank you for pushing on these.  Here are some responses -

  *   First and foremost – both ModSecurity itself and the OWASP ModSecurity Core Rule Set (CRS) are open source projects.  Trustwave does not own either of them.  The only thing that Trustwave owns in the “ModSecurity” trademark name.  The projects are Apache ASLv2 licensed.  These project will live and (hopefullly not) die dependent upon the community support.  The support that Trustwave gave to these projects over the years has been a double-edged sword in some respects.  Yes, we were allocated commercial work time to invest in these projects as they have commercial ModSecurity offerings to support ModSecurity.  This support, however, gave the appearance to the community that Trustwave would do all the work and that the community could basically just send emails or open issue tickets and wait for things to get fixed by SpiderLabs.  This misconception, I feel, has truly limited ModSecurity from fully blossoming into a vibrant open source community.
  *   Speaking of me personally, as many of you know, I moved on from Trustwave Spiderlabs and joined the Akamai Threat Research Team where I now provide research for our cloud security products (including Kona WAF).  Referring to my previous point – just because I switched jobs/companies does not preclude me from still working on these projects.  I am still the OWASP ModSecurity CRS Project Leader.  Not having Chaim listed on the OWASP Project page was an oversight and is now corrected (thanks for pointing that out).  The issue we have had in releasing these updates has mainly been because we have all been swamped with work from our day-jobs.  This is where having a real community driven project helps as there aren’t any bottle-necks to slow things down.  Community members can fork the CRS repo, update and initiate PULL requests and we can all move on.  To date, however, this workflow has not really blossomed.
  *   As for security researchers responsibly reporting issues – we have a number of places that list how to contact the team -
     *   http://www.modsecurity.org/help.html<http://scanmail.trustwave.com/?c=4062&d=lrT61dMwAdx7hULPhvWaAY3mkk2rF9k3ozde_fhYqA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fhelp%2ehtml>

Security        We take security very seriously! If you need to report a security problem please write to security/modsecurity.org
Hope this info helps.

Ryan



From: <owasp-modsecurity-core-rule-set-bounces at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org>> on behalf of Christian Folini
Date: Thursday, September 17, 2015 at 4:35 AM
To: Chaim Sanders
Cc: "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>"
Subject: Re: [Owasp-modsecurity-core-rule-set] Some XSS evasions posted (and some thoughts why ModSec Core Rules users were hit on day 0)

Chaim,

Having read your report, I got in touch with the author of the said
report, mazin at mazinahmed.net<mailto:mazin at mazinahmed.net>, myself. He replied immediately.

I do not want to quote him, but his message boils down to Trustwave
responding to him with the information that Ryan has left Trustwave
and that his successor will work on the findings.

We'll have to take this with a grain of salt, but honestly,
transparency and responsibilities in ModSec and the Core Rules
project is a bit lacking from my point of view. I have no doubt things
are very clear for you guys working at Trustwave; and it is likely all
the information is somewhere to be found. But what I would appreciate
a more moderation and an easier way to find the things you need.

Examples:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project<http://scanmail.trustwave.com/?c=4062&d=lrT61dMwAdx7hULPhvWaAY3mkk2rF9k3ozBer_haqg&s=5&u=https%3a%2f%2fwww%2eowasp%2eorg%2findex%2ephp%2fCategory%3aOWASP%5fModSecurity%5fCore%5fRule%5fSet%5fProject>
seems to be the website of the Core Rules. At least it is the number one
hit I get on google and duckduckgo.

It lists:
Project Leader: Ryan Barnett
Contributors:
    Josh Zlatin
    Roberto Salgado
    Ashar Javed (@soaj1664ashar)

But _you_ are not mentioned. Still you seem to handle things as this.
Do you have any authority to speak on behalf of the project? Is Ryan
still around in the project? Why was there no farewell message?

What is dearly missing is an email address to report security issues with the
Core Rules. I mean that would be the address I would be looking for
if I were a responsible security researcher with an exploit in my hands.

When you take the link to Github, you land on a repository with
the last commit two years old. If you read the mailinglists you will
find, the development is actually happening, but it's now in the 3.0.0 branch
(where the last commit is 4 months old). Ryan forked the 3.0.0 branch in 2012,
but it was first mentioned in the core rules mailinglist in July 2015. It's
probably my fault I did not check if there were any interesting branches
with the core rules in the meantime, but things would really be easier
if things would be more transparent.

I do not want to do fingerpointing. Even if it may seem so. I want to
make clear how things look from the outside for users as me, let alone someone
new to ModSec or the Core Rules. Both are great projects and they could
be better still (and actually attract contributions) if they were more
accessible and transparent.

Best regards,

Christian


On Tue, Sep 15, 2015 at 01:23:18PM +0000, Chaim Sanders wrote:
As far as I am aware we have not received anything. It certainly didn¹t go
to this mailing list and I don¹t recall anything on
security at modsecurity.org<mailto:security at modsecurity.org>. I am be preparing a blog post where we analysis
these attacks as we speak. Be on the lookout for it :)
On 9/15/15, 12:03 AM,
"owasp-modsecurity-core-rule-set-bounces at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org> on behalf of
Christian Folini" <owasp-modsecurity-core-rule-set-bounces at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org>
on behalf of christian.folini at time-machine.ch<mailto:christian.folini at time-machine.ch>> wrote:
>Good morning,
>
>What is funny about the paper is, that he lists contact with all
>the other vendors and how they reacted to his responsible
>disclosure, but this is missing for ModSec.
>
>Has there been no contact / no interest to patch in due time?
>
>Ahoj,
>
>Christian
>
>
>--
>It's easier to ask forgiveness, than it is to get permission.
>-- Radm Grace Hopper, aka Amazing Grace
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
>http://scanmail.trustwave.com/?c=4062&d=vp331TYeSJtl4OUFeRwH_d8xwpzKptjDeB
>Wj6-tsnQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow
>asp-modsecurity-core-rule-set
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

--
Christian Folini
Ringstrasse 2
CH-3639 Kiesen
+41 (0)31 301 60 71 (H)
+41 (0)79 220 23 76 (M)
mailto:christian.folini at netnea.com (Business)
mailto:christian.folini at time-machine.ch (Private)
http://www.christian-folini.ch<http://scanmail.trustwave.com/?c=4062&d=lrT61dMwAdx7hULPhvWaAY3mkk2rF9k3o2QD-atVrg&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<http://scanmail.trustwave.com/?c=4062&d=lrT61dMwAdx7hULPhvWaAY3mkk2rF9k3o2FWpa0Oow&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150917/7296fbb3/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list