Skip to content

OWASP CRS retreat

A few weeks ago I was invited as a guest to the OWASP Core Ruleset retreat in the Swiss Alps. In this post I’m going to share my experiencia and how it will contribute to the development of Coraza WAF and out alliance with CRS.

The CRS Team on site from left to right: Felipe Zipitría (@fzipi), Christian Folini (@dune73), Franziska Bühler (@franbuehler), Ervin Hegedüs (@airween), Max Leske (@theseion), Christoph Hansen (@emphazer), Andrea Menin (@theMiddle), Walter Hop (@lifeforms), Juan Pablo Tosso, Andrew Howe (@redXanadu), Paul Beckett (@53cur3M3)

OWASP Core Ruleset is the world’s most important WAF rule set for protecting against web attacks like, SQL Injection, Command Execution and many more. It’s currently being used by most ModSecurity user’s, this blog and many companies like Amazon and Microsoft.

The even was held in the Hacking Villa, ran by local ISP Ungleich, it was a great place with no distractions, to keep us focused in the many CRS projects.

It was a great opportunity to collaborate with the CRS projects, learn about their work, how they create and test rules, how they handle a huge open source project and get most of the team to try Coraza and provide interesting feedbacks.

The first thing I noticed was the great organization (thanks to Christian Folini), the train was there at the exact time and the activity schedule was like a Swiss watch, we managed to finish every project and workshop within time.

My most important contribution was the baseline for the CRS sandbox, I helped Andrea, Ervin and Cristoph to create the docker images and the code required to handle modsecurity logs in Lua.

Working with Christoph, Ervin and Andrea

There was a lot of work involved during the week, but there were also many fun activities, like Anna Goldi Museum, the Tolkien Museum, Fondue, a lot of chocolate, and so many fun evenings with the CRS guys.

We enjoyed many extra activities likes the Tolkien Museum and fondue.

Ok it sounds so cool but what were the results

  • We got a PoC of the Coraza-Apache wrapper
  • The CRS team validated Coraza
  • I learnt a lot about the CRS testing and how can I replicate for Coraza
  • I spent a lot of money, Switzerland is SO expensive
  • I contributed a some PRs to CRS and the CRS Sandbox
  • We exchanged feedback on how to address new vulnerabilities like HTTP request Smuggling
  • I met a fantastic team willing to help to test Coraza
  • Now I have a real filling that Coraza is going to replace ModSecurity in the near future

Finally I want to thank the CRS team for inviting me and treating me as part of your team, I will never forget this experience.

Leave a Reply

Your email address will not be published. Required fields are marked *