The team met in Switzerland last week to formulate a plan to “improve set up and procedures”, said Folini, who admitted that the incident was an “embarrassment”.įolini said: “We started to look at it as a chance for growth and development. The fix was easy enough, yet I felt like hiding under a rock.”īACKGROUND WAF bypass: ‘Severe’ OWASP ModSecurity Core Rule Set bug was present for several years
I had introduced these two bugs right after our new team had taken over the dormant project in 2016. He explained: “It was clearly my personal fault. Speaking to The Daily Swig, OWASP CRS co-lead Christian Folini said that the incident was “one of the biggest bangs on the ear” for him. However, to help reduce the likelihood of another high-impact bug slipping through the net, the CRS maintainers have implemented new practices, guidelines, and a bug bounty program to further secure the technology. The issue, which was introduced in code changes 2017, has since been remediated. The critical bug that had been present in the software for at least four years.Īs previously reported by The Daily Swig, the vulnerability bypassed the security protections offered by the in-built CRS web application firewall (WAF), meaning that malicious request body payloads could be smuggled through without being inspected. The ModSec team reported that a complete rule set bypass (CVE-2021-35368) had been discovered in June 2021. Years-old WAF bypass flaw was discovered in JuneĪ severe vulnerability present in the OWASP ModSecurity Core Rule Set (CRS) for several years was a “bang on the ear” for the project's maintainers, who have outlined steps to improve its security.
0 kommentar(er)
