Announcing Release of OWASP ModSecurity Core Rule Set v2.2.3 December 19, 2011 Ryan Barnett Comments (0) The SpiderLabs Research Team is pleased to announce the ModSecurity OWASP Core Rule Set v2.2.3 release. You can download the TAR/GZ or ZIP archive here. There are a few significant updates, most notably: We have added more application defect checks... Read More
[Honeypot Alert] SQL Injection Scanning Update - Filter Evasions Detected December 15, 2011 Ryan Barnett Comments (0) As we reported in the previous [Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected alert - we have identified an increase in mass SQL Injection scanning targeting various community components. While this scanning is still ongoing, we have identified a slight... Read More
Microsoft Patch Tuesday, December 2011 December 13, 2011 nosteve Comments (0) This Patch Tuesday, there are 3 new Critical and 10 new Important Bulletins. With this many high-urgency bulletins, it's tough to get a handle on which ones to tackle first. Of course, "all of them" is the standard answer, but... Read More
[Honeypot Alert] WordPress Timthumb Attacks Rising November 15, 2011 Ryan Barnett Comments (0) SpiderLabs Research Team has been tracking an increase in WordPress Timthumb plug-in scanning. How wide spread are the attacks? We just added the following entry to the Web Hacking Incident Database (WHID) - WHID 2011-262: Hackers 'Timthumb' Their Noses At... Read More
ModSecurity Advanced Topic of the Week: Commercial Rules Overview October 4, 2011 Ryan Barnett Comments (0) As you may have heard, Trustwave recently announced the availability of commercial rules and support for open source ModSecurity users. Since the announcement, we have received numerous requests for more information about the commercial rules. This blog post will provide... Read More
ModSecurity Advanced Topic of the Week: Remote File Inclusion Attack Detection September 30, 2011 Ryan Barnett Comments (0) Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client to to force an vulnerable application to run their own... Read More
Trustwave Releases New ModSecurity Rules and Support September 22, 2011 SpiderLabs Comments (0) ModSecurity is the most popular open source web application firewall (WAF) deployed today. We receive thousands of downloads each month from our main repository alone. It is estimated that there are over 1 million sites on the internet using it... Read More
Implementing AppSensor Detection Points in ModSecurity August 31, 2011 Ryan Barnett Comments (0) This is a follow-up to a previous blog post entitled "Real-time Application Profiling" that implements extended profiling logic using the ModSecurity Lua API. AppSensor Detection Points SpiderLabs Research Team is happy to announce that we have just updated the OWASP... Read More
Detecting Malice with ModSecurity: (Updated) CSRF Attacks August 30, 2011 Ryan Barnett Comments (0) UPDATE - since this original post, we added new data manipulation capabilities to v2.6.0 with the introduction of the @rsub operator. See the last section on modifying outbound data server-side. This week's installment of Detecting Malice with ModSecurity will discuss... Read More
(Updated) Mitigation of Apache Range Header DoS Attack August 24, 2011 Ryan Barnett Comments (0) Update After deeper research into the underlying vulnerability and analyzing customer traffic, SpiderLabs has developed a new BETA ModSecurity ruleset to mitigate the Apache Range Header DoS vulnerability. The following rules may be used to truncate the Range header fields... Read More
ModSecurity Advanced Topic of the Week: (Updated) Exception Handling August 23, 2011 Ryan Barnett Comments (0) UPDATE - since this original post, we added new exception handling capabilities to v2.6.0 which are a tremendous help for adding in custom exceptions. See the section below on Updating the Target Lists. This post is long overdue. I will... Read More
ModSecurity Advanced Topic of the Week: Automated Virtual Patching Script August 18, 2011 Ryan Barnett Comments (0) Automated Virtual Patching Example Script The SpiderLabs Research Team has added an example script to the OWASP ModSecurity Core Rule Set (CRS) Project archive that will help users to quickly implement virtual patches for vulnerabilities identified by an open source... Read More
Detecting Malice with ModSecurity: HoneyTraps August 2, 2011 Ryan Barnett Comments (0) This week's installment of Detecting Malice with ModSecurity will discuss how to implement HoneyTraps in order to detect malicious activity on your website. HoneyTrap excerpt section of Robert "Rsnake" Hansen's book "Detecting Malice" - Booby Trapping Your Application I briefly... Read More
ModSecurity SQL Injection Challenge: Lessons Learned July 26, 2011 Ryan Barnett Comments (0) This is a post-mortem blog post to discuss the successful Level II evasions found by participants during the recent ModSecurity SQL Injection Challenge. First of all, I would like to thank all those people that participated in the challenge. All... Read More
Announcing Release of OWASP ModSecurity Core Rule Set v2.2.1 July 20, 2011 Ryan Barnett Comments (0) I am pleased to announce the release of the OWASP CRS v2.2.1. This is a significant update with regards to SQL Injection protections. Trustwave's SpiderLabs Team conducted an analysis/review of the SQL Injection Challenge Level II evasions - http://www.modsecurity.org/demo/challenge.html and... Read More
Advanced Topic of the Week: (Updated) Real-time Blacklist Lookups July 19, 2011 Ryan Barnett Comments (0) Updated - the information in this blog has been updated to reflect the current RBL enhancement added to recently released ModSecurity v2.6.0 and for 2.7 in SVN trunk. This week's feature is the effective use of Real-time Blacklist lookups (@rbl).... Read More
(Updated) ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks July 13, 2011 Ryan Barnett Comments (0) Update - the latest version of the ModSecurity 2.6 has a new directive called SecWriteStateLimit that helps to defend against Slow POST attacks. With the recent OWASP AppSec DC presentation on Slow HTTP POST DoS attacks, the issue of web... Read More
Announcing the ModSecurity SQL Injection Challenge June 22, 2011 Ryan Barnett Comments (0) The ModSecurity Project Team is happy to announce our first community hacking challenge! This is a SQL Injection and Filter Evasion Challenge. We have setup ModSecurity to proxy to the following 4 commercial vuln scanner demo sites: IBM (AppScan) -... Read More
ModSecurity Advanced Topic of the Week: Application Logout Response Actions June 21, 2011 Ryan Barnett Comments (0) Application Defense Response Actions What is the best way to respond to suspicious transactions within your web application? The answer is that it depends in the circumstances and it is certainly not a "One Size Fits All" approach. The reality... Read More
Patch the Vuln - Feathers - SQLi June 20, 2011 Ryan Barnett Comments (0) Spot the Vuln -> Patch the Vuln SpotTheVuln This blog post series is designed to be a companion to the Spotthevuln.com website (thanks to Billy Rios - @XSSniper). Spotthevuln.com was designed to give developers more insight into designing code with... Read More