Monthly Chat Agenda July (2020-07-06) #1836

fzipi · 2020-07-04T20:28:41Z

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, July 6th, at 20:30 CET.

Items on the Agenda: (see previous meetings decisions: here)

PRs

Add method "SEARCH" to allowed method #1781 Add method "SEARCH" (rebase needed, then merge)
Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1786 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (add # ) (rebase needed, then merge)
SQLi using set var at PL2 #1793 SQLi using set var at PL1 (some more explanation needed, negative tests would be welcome, move to PL2)
Fix FP with sql having in 942230 (mv PR from old repo) #1806 Fix FP with sql having in 942230 (mv PR from old repo) (merged during meeting)
Fix false positives with rule 942360 #1817 Fix false positives with rule 942360 (Walter and Émil-Hugo will work on this PR in the next month, with the goal to merge it on the next meeting)
Some PRs still need to be migrated from Issues to PR!

This is necessary because the migration of the repo was only possible to take PRs with us in forms of issues.

932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)
Revert #578 #1616 Revert Add urlDecodeUni() operation to ARG/ARGS_NAMES #578 (Needs action)
RE2 compatibility for 920120 #1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately) (@franbuehler will open a new PR based on the allanrbo's work)

Other items

Status of CRS project co-lead Chaim Sanders - only if he is in the chat. Otherwise this is postponed for 1 month. MAX.
New DoS against libmodsecurity3 in conjunction with certain regexes, including 932100 (CVSS score of 7.5). Trustwave has merged a patch, but they deny it is a security issue. The issue was discovered by @airween and @theMiddleBlue and they are asking the project for guidance / potential support with a publication.
Consolidating projects hosted in CRS-support over the coreruleset umbrella:
- ftw
- modsecurity-docker
- modsecurity-crs-docker
- secrules_parsing
- modsecurity-ansible-role
- owasp-crs-documentation
Publication of wiki page with implementation issues with libmodsecurity3 by @airween
@Taiki-San of sqreen is thinking about stripping down the rule set to a distribution of rules that are guaranteed to never trigger a false positive. This picks up on the idea of a PL0 for ISPs.
Feedback from @dune73 after a two weeks in the HTTP Working Group chat where WAFs are discussed as a potential problem leading to protocol ossification

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them

Issue slot 1: Reference and Tag with CAPEC IDs consistently #486 (CAPEC tags)
Issue slot 2: Coreruleset (documentation) browser on project homepage #1824 Anomaly Score Blocking Mode #1814 (CRS documentation in general)
Issue slot 3: False positive w 8000 ith "postgres SQL Information Leakage" rule 951240 #1468 (FP postgres sql info leakage, @franbuehler will look into this)
Issue slot 4: Docker Image Update v3.3.0 (@franbuehler)
Issue slot 5: RE2 compatibility for 920120 #1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately) (@franbuehler will open a new PR based on the allanrbo's work)
Issue slot 6: 932200 FP - URL with a query string encoded within a query string parameter #1835 - 932200 FP - URL with a query string
Issue slot 7: False Positive with Rule 932130 in WordPress/WooCommerce Editing Product #1834 - 932130 FP in WordPress (commercial tool?)
Issue slot 8: Rules 941100/941120/942100 blocks randomly generated Cookie #1828 - 3 FPs in 941100 941120 942100 with random cookies
Issue slot 9: upgrade-insecure-requests false positive RESPONSE-951-DATA-LEAKAGES-SQL.conf rule 951120 #1827 - FP on 951120
Issue slot 10: SecAuditLogParts not working: mod_security keeps logging response body #1819 - SecAuditLogParts not working, probably not due to CRS

If you are not yet on the OWASP Slack, here is your invite: https://owasp-slack.herokuapp.com/ .
Everybody is welcome to join our community chat.

The text was updated successfully, but these errors were encountered:

dune73 · 2020-08-03T13:46:03Z

Decisions

PRs

Add method "SEARCH" to allowed method #1781 - merge after rebase to 3.4 branch
Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1786 - merge after rebase to 3.4 branch; update: replaced by Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1839
SQLi using set var at PL2 #1793 - We want better documentation, better / more tests and the rule stays in PL2 kindergarden until it is proven to have only very few FPs. It can still be in PL1 for 3.4, but per default it goes to PL2.
Fix FP with sql having in 942230 (mv PR from old repo) #1806 - merge
Fix false positives with rule 942360 #1817 - @lifeforms and @Taiki-San sort this out together
932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 - probably replaced by 932200: RCE bypass techniques #1783, this one here can probably be closed then, waiting for @theMiddleBlue to close it.
Revert #578 #1616 - @fgsch is looking into this again
RE2 compatibility for 920120 #1663 - @allanrbo has left the scene, @franbuehler is taking over this PR

Other Items

@csanders-git is back into the project; now in the role of a developer; plans are the get the demo site to life and then try to write SSO rules (ensure that we don’t have XML signature wrapping or XXE and then there are also a whole bunch of JSON OIDC validations that can be done)
We plan to give TW a full 90 grace period until we publish the ModSec3 DoS, thus aiming for Monday, September 13. This is without any exploits appearing in the wild. If that happens we will publish sooner.
We support the 8000 idea of a rule exclusion package / PL 0 for hosters like proposed by @Taiki-San

Issues

Dedicated issue meeting was held on July 13

Issue slot 1: Reference and Tag with CAPEC IDs consistently #486 - close this; it's been implemented
Issue slot 2: Coreruleset (documentation) browser on project homepage #1824 assigned to @dune73 with the idea to work with @bittner to get this done
Issue slot 2b: Anomaly Score Blocking Mode #1814 - assigned to @lifeforms
Issue slot 3: False positive with "postgres SQL Information Leakage" rule 951240 #1468 - assigned to @franbuehler
Issue slot 4: Docker Image Update v3.3.0 - assigned to @franbuehler
Issue slot 5: RE2 compatibility for 920120 #1663 - assigned to @franbuehler
Issue slot 6: 932200 FP - URL with a query string encoded within a query string parameter #1835 - assigned to @theMiddleBlue and set up for discussion in August meeting
Issue slot 7: False Positive with Rule 932130 in WordPress/WooCommerce Editing Product #1834 - assigned to @lifeforms
Issue slot 8: Rules 941100/941120/942100 blocks randomly generated Cookie #1828 - assigned to @dune73: Close this issue, open anew with the idea to move closer to 941120 ("I think we can probably salvage 941120 by only firing on onXXX with 3-22 X characters… onget seems to be the shortest one, onmozorientationchange the longest one")
Issue slot 9: upgrade-insecure-requests false positive RESPONSE-951-DATA-LEAKAGES-SQL.conf rule 951120 #1827 - assigned to @airween
Issue slot 10: SecAuditLogParts not working: mod_security keeps logging response body #1819 - assigned to @airween

fzipi added the 🔖 Meeting Agenda label Jul 4, 2020

franbuehler changed the title ~~Monthly Chat Agenda June (2020-07-06)~~ Monthly Chat Agenda July (2020-07-06) Jul 5, 2020

This was referenced Aug 3, 2020

SQLi using set var at PL2 #1793

Merged

RE2 compatibility for 920120 #1663

Closed

Rules 941100/941120/942100 blocks randomly generated Cookie #1828

Closed

dune73 closed this as completed Aug 3, 2020

dune73 mentioned this issue Aug 3, 2020

Monthly Chat Agenda August (2020-08-03) #1853

Closed

franbuehler mentioned this issue Aug 30, 2020

Monthly Chat Agenda September (2020-09-07) #1869

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Monthly Chat Agenda July (2020-07-06) #1836

Monthly Chat Agenda July (2020-07-06) #1836

Uh oh!

Uh oh!

Monthly Chat Agenda July (2020-07-06) #1836

Monthly Chat Agenda July (2020-07-06) #1836

Comments

Uh oh!

PRs

Other items

Open Issues

Uh oh!

Decisions

PRs

Other Items

Issues

Uh oh!