The ModSecurity Web Application Firewall is hard. It’s a complex piece of software with a complicated configuration language. There are rough edges and if you happen to run the OWASP ModSecurity Core Rules, then you are likely to get more false alarms, than you are prepared for. There is Ivan Ristić’s ModSecurity Handbook which serves […]
Truth be told, ModSecurity does not have a random function. If we need random numbers, we need to get them ourselves. Josh Zlatin has shown how you can do this with lua. If we do not want to use lua, we are left on your own devices. I am not in need of cryptographically secure […]
Chaim Sanders of Trustwave shared a link to a blogpost with XSS extracted from Reddit’s XSS subreddit. I sat in the train the other day and thought I could kill time by taking a look at the traffic and how ModSecurity and the Core Rules would handle it. Here is the traffic in question. Apparently, […]
[UPDATE: There is a separate tutorial about the Handling of False Positives (This article here is mostly about statistical data of the CRS2 rule set. Meanwhile CRS3 has been released).] ModSecurity – or any WAF for that matter – produces false positives. If it does not produce false positives, then it’s probably dead. A strict […]
It has been a while since we have seen big development in the OWASP ModSecurity Core Rules. This is due to the fact, that the development took place in a separate branch named 3.0.0-dev which adopts many of the newer features and operators included in ModSecurity since 2.7; notably @detectSQLi and @detectXSS. When you take […]
