Christian Folini


Introducing crs-trigger.py

This is a blog post about a new script, that will execute a request in order trigger an arbitrary Core Rule Set anomaly score. The OWASP ModSecurity Core Rule Set (short CRS) is a scoring rule set with individual rules working together to assess an incoming request and assigning it an anomaly score. An administrator […]


Adding empty HTTP headers via libcurl (pycurl)

When testing for the correct behavior of the OWASP ModSecurity Core Rule Set, a popular Web Application Firewall rule set, I needed to send empty Acccept- and User-Agent headers. This is relatively simple on the command line with curl: $> curl –header “User-Agent;” https://example.com Pulling this off with libcurl (pycurl in my case), was way […]


An A7 First Aid Kit

Let’s consider Dave Wichers and the OWASP Top 10 project resists all the pressure and the 2017 edition of OWASP Top 10 will include the new A7 “Insufficient Attack Protection”. Lately the discussion has turned more constructive so maybe that prospect is not all that unrealistic. But honestly, I can not tell if A7 will […]


The Case for a DDoS Incident Handbook

You can go exploited for long periods of time, yet continue to do business in a state of ignorance, as Swiss Ruag did for years. But with Distributed Denial of Service attacks the case is entirely different. Your service comes to a halt within minutes and panic breaks out. You will notice, your boss will […]