The free use function can help users measure whether CRS can withstand the payload
Security researchers can now use the new sandbox released by the project maintainer to test payloads against the OWASP ModSecurity core rule set.
The core rule set, also known as CRS, is a set of general attack detection rules used with ModSecurity or compatible Web Application Firewall (WAF).
It is designed to protect web applications from various attacks, including the OWASP top ten.
read more Lessons learned: How serious vulnerabilities in the core set of OWASP ModSecurity rules trigger much-needed changes
Today (December 9), the team behind CRS released a sandbox that enables researchers to test it without having to install or configure the ModSecurity box.
exist A blog post, The team explained that the sandbox is designed for people facing new CVEs, and they “want to know if CRS can buy them time.”
“This is also very useful for CRS projects, because we can quickly test the payload against various versions and backends to confirm GitHub issues (false positives, false positives),” the post said.
‘Incomprehensible ModSecurity log’
Project leader Christian Folini told Drink it every day The sandbox API was created after a “regular” conversation with security researchers on how to use CRS without setting up a CRS docker with the correct version, and what the team believes is “painful interpretation of incomprehensible ModSecurity logs”.
Folini said: “I remember a conversation with James Kettle and Gareth Hayes of PortSwigger. They told us on AppSec Amsterdam in 2019 that they were willing to add information about payloads blocked by open source WAFs such as CRS in their publications. , But only if the burden of setting up the container with the appropriate CRS configuration is removed from them.
“It essentially requires a CRS sandbox.”
Read more latest information security industry news
The sandbox was officially launched in October this year. Folini added: “For every new development, we have to try several methods until we find a way to work consistently.”
“The alternative architecture of the gateway server intercepting the connection and injecting the response at the TCP level would be clever, but too complicated.
“The reverse proxy + openresty setting we determined is not ideal for certain protocol attacks, but it is relatively simple and very stable.”
Future plan
The free sandbox is hosted on AWS. The team is collecting logs, but the IP address will be anonymized.
Folini also talked about plans to add more features, including the ability to create a user “hall of fame” and the option to share payload information with others.
He explained: “People should be able to retrieve previous payloads and analyze them.
“This will allow someone to send an ID to a friend and say,’Hey, look for this complicated HTTP request.’
“Supporting these IDs can make the sandbox a tool for teams researching exploits. Or a way to store them, only you [need to] Leave the ID card. “
More technical details on how the sandbox works can be found in the blog post.
You might also like WAF bypass: “serious” OWASP ModSecurity core rule set error has existed for many years
