8000 Monthly Chat Agenda December 2022 (2022-12-05 and 2022-12-19) · Issue #3036 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Monthly Chat Agenda December 2022 (2022-12-05 and 2022-12-19) #3036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 of 5 tasks
dune73 opened this issue Nov 30, 2022 · 2 comments
Closed
3 of 5 tasks

Monthly Chat Agenda December 2022 (2022-12-05 and 2022-12-19) #3036

dune73 opened this issue Nov 30, 2022 · 2 comments
Labels
🔖 Meeting Agenda

Comments

@dune73
Copy link
Member
dune73 commented Nov 30, 2022
edited
Loading

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2022-12-05, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2022-12-19. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

  • Interesting twitter discussion with uplifting comments
  • @fzipi was approached by libinjection developer Miguel de Moura to act as maintainer. The discussion and decision from Varese were explained, but Felipe accepted acting as a maintainer with low priority between other projects. Expect some movement on that side, but not progress for now.

Inside development

Rules

  • Rules updates in light of bug bounty findings and direction of CRS4 is grinding along, but the pace is not as fast as we would like. Administratively all bug bounty findings are closed, but on retest, we have a substantial amount where the exploits are still not detected.

CRS Sandbox

CRS Bug Bounty and Security

  • Finished most of the failing tests for BB issues
  • Need a decision on whether we want to address ReDos in one of the findings

Plugins

Documentation and Public Relations

Project Administration and Sponsor relationships

  • CRS dev-on-duty payments until end of the year have been initiated
  • Dev retreat reimbursements are still pending (dune73 did not get all receipts)
  • We ran out of our free github plan because of a CI/CD problem. We immediately started an enterprise trial while solving the problem and we are now trying to cancel said plan.
  • Several blog posts about new sponsors are pending.

Tools

  • fixed several bugs in crs-toolchain
  • renumbered tests so that all use a consistent scheme (<rule ID>-<test number>)
  • added test numbering lint step to GitHub linting
  • go-ftw refactored the configuration to be easy to use in tests.

Testing incl. Seaweed and many future plans

  • See "plugins" for plugin testing pipeline.

Containers

CRS Status Page

Project discussions and decisions

  • How to close remaining open bug bounties (that are meant to be closed already)
  • How to continue the work on the lists with keywords (biggest CRS v4 show-stopper right now - but is it a show-stopper? Should we release it as it is? Let's discuss!)
  • Dublin 2023 - CRS Community day. The idea is to hold a CRS event around the time of the OWASP Global AppSec event, likely February 14. (For context, the OWASP event's dates are: "Training courses" Mon 13 Feb, Tue 14 Feb, "conference and exhibitor days" Wed 15, Thu 16 Feb. We would hold an event the day before?)
  • Proposal: deprecate ftw for CRS tests as of 2023-01-01.
  • fix(multiple bypasses) from Shivam Bathla's 2nd bypasslist #2926 - Bathla's 2nd bypass list: do we want to cover sqli and rce in request headers and should @franbuehler finish this PR?
  • Bug Bounty ReDoS question

Rules development, key project numbers

PRs that have been merged since the last meeting

We merged 30 PRs since the last monthly project chat.

Open issues and PRs

  • As of Monday, we have 109 open issues.
  • As of Monday, we have 24 open pull requests.

Separate 2nd Meeting (Monday, 2022-12-19)

Bug Bounty status (Dec 19)

PL1  368  77.97% coverage (76.67% last week)
PL2  444  94.07% (92.50%)
PL3  446  94.49% (92.92%)
PL4  467  98.94% (97.92%)

That's 26 findings not detected at PL3.

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite.

Everybody is welcome to join our community chat.
@franbuehler
Copy link
Contributor
franbuehler commented Dec 5, 2022
edited
Loading

Decisions Dec 5

Project discussions and decisions

  • Bug Bounty ReDoS question -> LHETJGAX-2 : We don't address this.
  • Proposal: deprecate ftw for CRS tests as of 2023-01-01 -> accepted
  • fix(multiple bypasses) from Shivam Bathla's 2nd bypasslist #2926 - Bathla's 2nd bypass list: do we want to cover sqli and rce in request headers and should @franbuehler finish this PR? -> Yes! But only checks for UA, Referer and Cookies at PL2. If SQLi rules are prone to FP in Cookies -> move them to PL3.
  • How to close remaining open bug bounties (that are meant to be closed already) -> in 2 weeks @theseion can say how long it will take to close the remaining ones / failing tests. @RedXanadu will help out.
  • How to continue the work on the lists with keywords (biggest CRS v4 show-stopper right now - but is it a show-stopper? Should we release it as it is? Let's discuss!) -> we need to focus on this, prio nr. 1! @franbuehler, @emphazer will join. @53cur3M3, @lifeforms would like to join after Christmas. If @dune73 finds the time, he would like to work on crawler, UA lists.
  • Summarize BB and lists: We are aware of pending shortcomings with BB findings and keyword lists, but we are not yet ready to give up on this as a team and we will continue the struggle for a few more weeks.

@franbuehler franbuehler mentioned this issue Dec 5, 2022
Closed
@franbuehler
Copy link
Contributor
franbuehler commented Dec 19, 2022
edited
Loading

Decisions Dec 19

Project discussions and decisions

Bug Bounty and curl calls

  • most of the failing curl calls are due to 932150
  • @franbuehler proposed PR fix(multiple bypasses) from Shivam Bathla's 2nd bypasslist #2926 (adds about 4 new PL2 rules (clones) to only catch Shivam's bypasses) and @theseion proposed PR [WIP] feat(rce): check Referer and User-Agent headers #3054 (add UA and referer to all 932xxx PL1 rules, more holistic). Decision: They'll work together on a proposal/solution.
  • 932150 is to big for Apache to handle and is also outdated. Possible solutions:
    • reuse unix-shell-upto3 as in 932230
    • adding a new rule to find command words of length > 3 without evasions
    • adding a generalized evasion detection rule, like 932240 (if necessary)
    • caveat: things like time and ping may be in that word list of words of length > 3. -> second rule for words > 3 and add the exclusion (to be implemented in crs toolchain) there
    • FP on 932150 (PL1) with payload "ping" and "time" #2419 is about removing ping and time. Those FP would persist.
    • words of length > 2 at PL2 only (for 932150)

Add tests to plugin

Split rule 932110

  • feat(932110): update windows list 1/2 #3059
  • split makes sense. It's just very annoying for our users of course. Also there is a chance that existing REs continue to remain active despite the original payload would now target the other rule.
  • I think we should shift to two new rule IDs. If the 2 rules are different source now, there is no point keeping one of them at 932xx5 anymore. It should be a 932xx0 rule in my opinion. It would also make sure users start with new REs anew.

@fzipi fzipi modified the milestone: CRS v4.0.0 Dec 22, 2022
@fzipi fzipi mentioned this issue Dec 26, 2022
Merged
@dune73 dune73 closed this as completed Jan 2, 2023
@fzipi fzipi mentioned this issue Jan 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔖 Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dune73 @fzipi @franbuehler
0