Wednesday, August 31, 2011

OWASP AppSensor Detection Points in the OWASP ModSecurity Core Rule Set

(from Ryan Barnett)

I have begun the process of implementing the OWASP AppSensor Detection Points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) within the OWASP ModSecurity Core Rule Set (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).

I am pleased to announce that I have just made an update to the OWASP CRS SVN repository that fully implements the Request Exception (RE) category - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException. See the following blog post for more details - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html

The major change in this version vs. the earlier one outlined in this blog post (http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-real-time-application-profiling.html) is that both the profiling and detection logic has been moved to Lua scripts. With the increased logic capabilities of Lua, we are now able to more accurately profile the application in real-time by analyzing traffic and automatically generating profiles for the following resource characteristics -
  • Enforcing the expected Request Method(s)
  • Enforce the number of expected parameters (min-max range)
  • Enforce parameter names
  • Enforce parameter lengths (min-max range)
  • Enforce Character Classes
    • Flag (e.g. - /path/to/foo.php?param)
    • Digits (e.g. - /path/to/foo.php?param=1234)
    • Alpha (e.g. - /path/to/foo.php?param=abcd)
    • AlphaNumeric (e.g. - /path/to/foo.php?param=abcd1234)
    • Email (e.g. - /path/to/foo.php?param=foo@bar.com)
    • Path (e.g. - /path/to/foo.php?param=/dir/somefile.txt)
    • URL (e.g. - /path/to/foo.php?param=http://somehost/dir/file.txt)
    • SafeText (e.g. - /path/to/foo.php?param=some_data-12)
The updated rules files are in the /experimental_rules directory - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/experimental_rules/

I encourage people to test out these new rules and to report back their experiences – both good and bad.

FYI – I also wanted to thank Josh Zlatin for assisting with the initial Lua script creation.

Cheers.

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader

Tuesday, August 23, 2011

OWASP AppSec Latin America 2011

On behalf of the OWASP AppSec Latin America 2011 organization team, I’m thrilled to announce registration is now officially open! The organization committee truly went out of its way to keep prices down and provide the best deals for people who really want to take full advantage of this event. One example is the full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference.

The deadline for early bird registration is August 31st so you do need to hurry! Conference details, sponsorship information, registration links, and some cool videos about Brazil and Porto Alegre are all available at the conference site: https://www.owasp.org/index.php/AppSecLatam2011#tab=Welcome.

Get your visa ready. We look forward to seeing everyone in Brazil!

Cassio