Coreruleset patch to block (some?) CVE-2025-55182 exploit attempts:

https://github.com/coreruleset/coreruleset/pull/4372

#CVE_2025_55182 #modsecurity #coreruleset #react2shell

A story about looking at the effectiveness of web application firewalls and finding bypasses for the filter ruleset. https://www.pentagrid.ch/en/blog/airlock-web-application-firewall-ruleset-testing-and-waf-bypasses/ #WAF #OWASP #coreruleset #ergon #airlock

@lemeteore I highly recommend #modsecurity web application firewall, and the #coreruleset for it. You’ve got a number of other great suggestions as well!

Exciting news in the web application security world: the #ModSecurity #WAF project is officially changing hands and moving under the #OWASP umbrella. It will become a community-driven free and open-source project once again! And, best of all, it will now live alongside the OWASP #CRS (formerly #CoreRuleSet), the de-facto set of open-source WAF rules. Having it all in one place will be very beneficial to both projects! https://owasp.org/blog/2024/01/09/ModSecurity.html

I recently got to do an interview as part of the #OWASP #CoreRuleSet project 😀 The idea is 'meet the people behind the code'. We're a cool open source project run by a fun bunch of real people, honest! 😅​ Check out the other developer portraits, too! 🕺 https://coreruleset.org/20231109/meet-the-crs-team-andrew-the-technical-writer-who-loves-eurovision-and-doom-ii/ #FOSS #WAF #CRS #opensource #security

In case you are into #ModSecurity / #OWASP #CoreRuleSet, add this to your weekend watchlist:

My 3rd ModSec / CRS webcast:
https://www.youtube.com/watch?v=x0u49q8HAQQ

Topics:

* News: CRS developer retreat in Varese, Italy. An overview of all the things running in parallel on planet CRS.

* Tech: Introduction to CRS plugins

* Operation: Live analysis of production logs

* C-Rex: Tight integration with False Positive Analysis script

* Upcoming course date: Public onsite course March 2023

I'm looking forward to teach #ModSecurity and #OWASP #CoreRuleSet for two days. Trying out a simple digital teaching assistant that supports the students when editing stuff. I hope it makes it easier for them and for me.

Last call for my #ModSecurit / #CoreRuleSet webcast with news from the #CRS3 project.

We'll look into CRS plugins and live analysis of #WAF logs. Brief and to the point. Starting in 45min, 2pm CET.

https://www.meetup.com/meetup-group-ungjkskv/events/289074360/

Talking to one of the #CoreRuleSet sponsors today. As Open Source #WAF developer, we lack the (diverse) traffic to observe our rules in the wild. The big integrators see the traffic and talking to them is super interesting for our project.

@JoshCGrossman That's some cool stuff.

I might add that #OWASP #ModSecurity #CoreRuleSet is absolutely one to watch as well. No web application security setup is complete without a decent WAF in front to take out the easy stuff.

Tuesday, 15th November, 14:00 CET: The next #ModSecurity / #OWASP #CoreRuleSet webcast is on.

* News: Reporting from the CRS developer retreat in early November
* Tech: CRS4 plugin functionality
* Operation: Live analysis of production logs
* Tuning: Practical false positive analysis and interaction with crex.netnea.com

Please enlist at https://www.meetup.com/meetup-group-ungjkskv/events/289074360/

OWASP has published the videos of the virtual AppSec EU conference earlier this year. That means my talk about new stuff that will be included in the #OWASP #ModSecurity #CoreRuleSet v4 is now online.

News include #CRS4 plugin mechanism, regex overhaul, more granular control over monitoring rules, webshell detection rules, less false positives and hundreds of commits on rules across the board!

https://www.youtube.com/watch?v=w5gK9zmzMJM