Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Announcing Release of OWASP ModSecurity Core Rule Set v2.2.3

The SpiderLabs Research Team is pleased to announce the ModSecurity OWASP Core Rule Set v2.2.3 release. You can download the TAR/GZ or ZIP archive here.

There are a few significant updates, most notably:

  • We have added more application defect checks based largely on the Watcher tool by Casaba Security which is used for passive vulnerability assessments.
  • SpiderLabs Consultant Andrew Wilson identified a potential evasion issue if the client specifies an abnormal/unexpected Content-Type request header. In some cases, the application may disregard the data specified by the Content-Type header and process the request body data normally, however, ModSecurity would no inspect the payload. We have addressed this issue by updating an existing rule that will dynamically force the population of the REQUEST_BODY variable if an unexpected Content-Type is used.


--------------------------Version 2.2.3 - 12/19/2011--------------------------Improvements:- Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file  http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies - Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file  http://websecuritytool.codeplex.com/wikipage?title=Checks#charset- Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file  http://websecuritytool.codeplex.com/wikipage?title=Checks#headerBug Fixes:- Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to  rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). - Updated the regex and added tags for RFI rules.