This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-06-03, at 20:30 CEST. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2024-06-17. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

• Registration for the CRS Community Summit (June 24) open at https://pretix.eu/owasp-crs/community-summit-2024/

Blog posts that mention OWASP CRS found by dev-on-duty, to be added for the next meeting (external references):

• https://twitter.com/20iUnlimited/status/1795804063444910383 (Link to https://www.20i.com/blog/modsec/): Rough overview, does not go into depth. Explains how to write a SecRule using an example.
• https://twitter.com/prod42net/status/1795272715131138419 - Link to https://dev.to/henri_sekeladi/whitelisting-specific-paths-on-modsecurity-3-with-owasp-rules-39d5 (rule exclusion example with a path)
• https://twitter.com/prod42net/status/1795272708898333151 -> Link to https://dev.to/henri_sekeladi/install-modsecurity-owasp-crs-for-nginx-webserver-on-centos-7-4fgo
• https://twitter.com/prod42net/status/1795272706331406484 -> Link to https://dev.to/henri_sekeladi/install-nginx-with-modsecurity-3-owasp-crs-on-ubuntu-2204-5d6l (I think they use the bad NGINX by Ondrej PPA here -> should we say something? Also see https://owasp.slack.com/archives/CBKGH8A5P/p1706108836492279. Not entirely sure if I got this right)

Inside development

Rules

• FIXME: Please fill in

CRS Sandbox

• A lot of work have been done to restore the Sandbox using the latest container versions
  • now it should be blocking using 403 back again
  • started the effort to bring back Coraza to the sandbox

Security

• New report by @azurit (R9V in the security tracker)

Plugins

• Finally we finished Add tests to plugins #3051
  • Official plugins are tested now.
• Fake Bot Plugin
  • marked as 'tested'
  • version 1.0.0 released
• Google OAuth2 Plugin
  • version 1.0.0 released

Documentation and Public Relations

• FIXME: Please fill in

Project Administration and Sponsor relationships

• FIXME: Please fill in

Tools

• Nearly done with platform overrides
• Moved to Albedo in CRS and plugin tests
• Released v1.0.1 of go-ftw with support for the newest ftw-tests-schema
• Discussion to rename go-ftw

Testing incl. Seaweed and many future plans

• Seaweed is back reporting
  • need to fix multiple steps tests
  • waf must always return 200 OK to receive some attacks

Containers

• New version out with updated CRS v4.3.0

CRS Status Page

• Azure run failed and should be checked.

Project discussions and decisions

• What will happen if we merge lfi-os-files.data and restricted-files.data into one file?
• Add exclusion set for OData standard #2127
• Bug on Regression Test 942210-31 #3297
• Unified format for tests matching log rule IDs #3239 Looks like we never got into the next steps needed here.
• Idea to rename go-ftw to Waft, Westy, Wtf ...

Rules development, key project numbers

PRs that have been merged since the last meeting

• fix: fixing test typo #3714
• fix: enabling disabled test #3719
• chore: remove changelog PR workflow #3718
• feat: use albedo as backend server #3706
• chore: post-release create v4.4.0-dev #3717
• chore: new release v4.3.0 #3716
• fix: fp with name axel by removing it from rce rule (932260 PL1) #3705
• feat: prevent detection of web shells rules as malware by Windows Defender (955260 PL1) #3687
• fix: false positives from PHP config directives and functions (933120 PL1, 933151 PL2) #3638
• fix: removing double t:urlDecodeUni (920221 PL1, 920440 PL1, 932200 PL2, 932205 PL2, 932206 PL2) #3699
• fix: resolving more FPs with Oracle error messages (951120 PL1) #3703
• feat: block The Mysterious Mozlila User Agent bot (913100 PL1) #3646
• feat: refactoring of rule 941310 (PL1 941310) #3700
• fix: collections not being initialized without User-Agent header #3645
• fix: FP for sched (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, … #3701
• fix: huge cleanup of regression tests #3707
• test: use retry_once in phase 5 rule test #3709
• docs: point to ftw-tests-schema for test schema reference #3708
• fix: fix FP test to fail when condition not met #3702

We merged 19 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• fix: fp with user-agent containing ; pg (932239 PL2) #3727
• fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
• fix: replacing t:UrlDecode with t:UrlDecodeUni (921240 PL1, 932170 PL1, 932171 PL1, 932190 PL3, 932190 PL1, 933211 PL3, 941310 PL1, 941350 PL1) #3713
• feat: refactoring (944110 PL1) #3715
• fix: ignore checking compressed response body #3712
• feat: accidental firewall disability prevention #3650

Separate 2nd Meeting (Monday, 2024-06-17)

• mysql injection easy bypass with # #3733
• Rule 942151 "space (word)" false positive #3721 - The string Reserve Space (Room A) triggers a FP on 942151. This rule checks for function_name (. Idea: to match function_name (\d+. BUT: is this common or do we say, you have to tune this in your installation.
• FPs with rule 953120 for gzip data #2751
• Detect $ { PHP injection #2686
• Improve XML External Entity (XXE) detection #2502
• fix: replacing t:UrlDecode with t:UrlDecodeUni (921240 PL1, 932170 PL1, 932171 PL1, 932190 PL3, 932190 PL1, 933211 PL3, 941310 PL1, 941350 PL1) #3713

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.