Announcing Release of OWASP ModSecurity Core Rule Set v2.2.3

The SpiderLabs Research Team is pleased to announce the ModSecurity OWASP Core Rule Set v2.2.3 release. You can download the TAR/GZ or ZIP archive here.

There are a few significant updates, most notably:

  • We have added more application defect checks based largely on the Watcher tool by Casaba Security which is used for passive vulnerability assessments.
  • SpiderLabs Consultant Andrew Wilson identified a potential evasion issue if the client specifies an abnormal/unexpected Content-Type request header. In some cases, the application may disregard the data specified by the Content-Type header and process the request body data normally, however, ModSecurity would no inspect the payload. We have addressed this issue by updating an existing rule that will dynamically force the population of the REQUEST_BODY variable if an unexpected Content-Type is used.


--------------------------Version 2.2.3 - 12/19/2011--------------------------Improvements:- Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file - Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file Fixes:- Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to  rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). - Updated the regex and added tags for RFI rules.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.