Closed
Description
This is the Agenda for the Monthly CRS Chat.
The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on the first Monday of the month (usually), at 20:30 CET (CEST during summer in the Northern Hemisphere). Please note that we have a CRS calendar (maintained by @fzipi).
Archived previous meetings and their decision are here.
What happened in the meantime since the chat last month
Outside development
- Compiling Ok in AlmaLinux 8.10, but not working owasp-modsecurity/ModSecurity-nginx#336
- ModSecurity CVE-2025-27110: https://modsecurity.org/20250225/html-entity-decoding-regression-cve-2025-27110-2025-february/
- we are applying for a DataDog OSS support subscription, for getting logs in and lower maintenance of the sandbox host.
Inside development
Rules
- 🆕 feat: prevent V1 cookie format - prevents cookie sandwich attacks
CRS Sandbox
- No news here.
Security
- First fix for TR7-241111 in fix(933160): use better regex #4010
Plugins
- FIXME: Please fill in
Documentation and Public Relations
- We are planning to have an Open WAF day, May 28th 2025 in Barcelona, where OWASP will hold the AppSec EU 2025. More details to come.
Project Administration and Sponsor relationships
- OWASP HQ still hasn't provided CRS with the balance from 2024. We are waiting on this for planning 2025. Note: Andrew Van Der Stock is aware of this.
- Waiting for OWASP to give us access to Docker Hub org so we don't have to publish from our private accounts and can use oranisational access tokens.
Tools
- Support for ordered list of headers in tests in go-ftw (waiting to be merged)
Containers
- New release has a new variant for
Read-only Root Filesystem(only for nginx based images for now). - Preparing new release with ModSecurity compiled with PCRE2
Project discussions and decisions
- There's a long open PR for improving generic plugin testing setup: feat(ci): add lint and integration/regression test wordpress-rule-exclusions-plugin#6
- Add common tag for all rules in a file #3991: proposal to add more tags per rule
- Re-visiting this discussion: How does CRS want to approach
modsecurity.conf-recommendedin the future? The situation is clearly different, now, in 2025.- In the past, there was friction with the engine's previous owner (e.g. CRS advocated for enabling rule 200006 (allow JSON subtypes) by default, but we were told 'no'.)
- We previously discussed the idea that one day CRS could handle everything from
modsecurity.conf-recommendeddirectly within CRS, so that all config would be in one place and CRS could control which "default" rules to enable/disable. - There is also now the potential to work with team ModSecurity to come up with a solution (e.g. keep
modsecurity.conf-recommendedbut change the defaults to be more sensible/CRS-friendly). - Why re-open this discussion now? It follows on from issue 9EA-241022. We removed several default allowed content types (including some "+json" subtypes). The open question remaining was: do we want to enable 'recommended' rule 200006 by default and retire rule 200001? And, more broadly, how do we want to work with/around
modsecurity.conf-recommendedgoing forwards?
Rules development, key project numbers
PRs that have been merged since the last meeting
- chore: temporarily deactivate test for 920390 #4027
- chore: post-release 4.13.0-dev #4026
- chore: release v4.12.0 #4025
- fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) #3735
- chore(deps): update ghcr.io/coreruleset/albedo docker tag to v0.0.16 in tests/docker-compose.yml #4000
- fix(941210): update log message to reflect rule javascript word detection #4023
- fix: remove .env from lfi-os-files.data #4024
- fix: move 942521 and 942522 tests to the correct file #4022
- feat: added new restricted files for openstack and docker compose #4021
- fix: move fopen to 933160 to resolve fp with
RootAndLeafOpenCamera.jpg(933150 PL-1, 933160 PL-1) #4016 - fix(933160): use better regex #4010
- fix: response splitting rules and tests #4009
- chore: add debug versions for quick local testing #4008
- feat: prevent V1 cookie format use #4006
- fix: add argument name to function call #4007
- chore: move rule_ctl to its own repo #4004
- docs: add warning about default charsets modification #4003
- chore: remove nightly build #3994
- fix: enable docker-compose renovate manager properly #3995
We merged 19 PRs since the last monthly project chat.
Open PRs
Open PRs marked DRAFT or work in progress or needs action
- fix: tag inconsistency per file #4031
- feat: added rule to detect Bash Brace Expansion #3780
- chore: update test setup for 920390 #4028
- fix: incorrect id for 932230-58 #4018
- feat: accidental firewall disability prevention #3650
- fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840
- feat: added detection for quote evasion #3813
- fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) #4019
- fix(test): move xss test from 942180 to 941330 #4012
- fix: create a stricter sibling to 932370 and move
atto PL-2 (932370 PL-1, 932371 PL-2) #4015 - fix(932130): use lazy regex #3730
- chore: find rules without test #3881
- feat: added detection for RCE via Referer header #3993
- fix: 932270 FP #3917
- fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
- chore: add quant as comment #3925
- feat: Add product name tags #3960
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
Everybody is welcome to join our community chat.