Compliance with Modsecurity + OWASP Compliance with Modsecurity + OWASP
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Compliance with Modsecurity + OWASP

Started by marcelm, November 17, 2016, 08:41:28 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

marcelm

Now OWASP is out since October and the last big version was from 2013. OWASP 3.0 is designed to give less false positives I updated my website to that release. In previous version I had to switch off a lot of the filters that keep hackers and other bad people from trying to do bad stuff with my site.

I have run a quick test and the only thing that cropped up in that period was that the cookie set by Coppermine could contain a "=" and that triggered a detection. Maybe there are more non alphabetical/number characters that could trigger detections but I have not yet tested it that much because it was already late in the evening.

Information what it filters:

1. More than 16,000 specific rules, broken out into the following attack
categories:
* SQL injection
* Cross-site Scripting (XSS)
* Local File Include
* Remote File Include

2. User option for application specific rules, covering the same
vulnerability classes for applications such as:
* WordPress
* cPanel
* osCommerce
* Joomla

I saw that it also is covering Coppermine Gallery with 30 settings, however I think the main part if not all are already fixed by the programmers in contact with users of Coppermine.

I am also using Owncloud that is triggering a lot more of detections so Coppermine is very clean in the eyes of OWASP

Some links:
https://modsecurity.org/crs/
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
https://github.com/SpiderLabs/owasp-modsecurity-crs