Print

[marcelm]

Now OWASP is out since October and the last big version was from 2013. OWASP 3.0 is designed to give less false positives I updated my website to that release. In previous version I had to switch off a lot of the filters that keep hackers and other bad people from trying to do bad stuff with my site.

I have run a quick test and the only thing that cropped up in that period was that the cookie set by Coppermine could contain a "=" and that triggered a detection. Maybe there are more non alphabetical/number characters that could trigger detections but I have not yet tested it that much because it was already late in the evening.

Information what it filters:

1. More than 16,000 specific rules, broken out into the following attack
categories:
 * SQL injection
 * Cross-site Scripting (XSS)
 * Local File Include
 * Remote File Include

2. User option for application specific rules, covering the same
vulnerability classes for applications such as:
 * WordPress
 * cPanel
 * osCommerce
 * Joomla

I saw that it also is covering Coppermine Gallery with 30 settings, however I think the main part if not all are already fixed by the programmers in contact with users of Coppermine.

I am also using Owncloud that is triggering a lot more of detections so Coppermine is very clean in the eyes of OWASP

Some links:
https://modsecurity.org/crs/
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
https://github.com/SpiderLabs/owasp-modsecurity-crs