WAF
Why you shouldn't lose sleep over the commercial end-of-life of ModSecurity
The ModSecurity web application firewall (WAF) engine is set to go end-of-life (EOL) on 1 July 2024...
How-tos
Three scenarios for implementing time-based security and content switching on your load balancer
It can sometimes be useful to make load balancing decisions based on the time and date. This allows you to conditionally refuse or redirect connections based on the time they're received...
WAF
Report back from the OWASP Core Rule Set Community Summit and OWASP Global AppSec 2023: The WAF conundrum
I had the privilege of speaking in Dublin at this year's OWASP Core Rule Set Community Summit before then attending OWASP Global AppSec immediately afterwards...
WAF
Handling large requests with a Web Application Firewall (WAF) while avoiding Denial of Service (DoS) attacks
Sometimes, we need to pass unusually large HTTP requests through our WAF stack...
Media
Achieving unrivaled performance with media and video streaming on demand
For the uninitiated, layer 4 DR mode is a high performance load balancing method available on our appliances. It works by having all response traffic flow from the servers straight back to the clients...
Open source
ModSecurity DoS vulnerability (CVE-2021-42717)
All WAF vendors and services using ModSecurity are affected by this vulnerability (unless they have the vulnerable piece of code disabled, by chance)...
How-tos
Simplifying web application security with the Core Rule Set v3
A WAF isn't a magic bullet, but, as part of a defense in depth strategy, a properly configured WAF should catch and stop common, everyday attacks...
Events
The importance of outreach: Introducing students to load balancing
A recent visit to Southampton Solent University...
WAF
Extending ModSecurity: How to add completely custom WAF functionality
In this example, I’m going to add a new transformation function to ModSecurity to calculate the Scrabble score of a variable. This will allow us to block HTTP requests containing query string parameters with a Scrabble score above a chosen threshold...
Open source
Announcing CVE-2021-35368: OWASP ModSecurity Core Rule Set Bypass
In early June 2021, I identified a request body bypass vulnerability in the OWASP ModSecurity Core Rule Set (CRS). Loadbalancer.org appliances themselves are unaffected...
Open source
ModSecurity and the Case of the Never Decreasing Variables
In the world of web application security, it can be invaluable to consider a user's behaviour across the entire duration of their web app session...
Performance
Layer 4 vs Layer 7 load balancing - we still love DSR, but…
Direct server return, direct routing - no matter what you call it, using DSR maximises the throughput of return traffic and allows for near endless scalability. Here's why we still love it...
How-tos
Security through geography: blocking traffic by country, continent, or IP address using ModSecurity
Imagine you’re running a business and you often see malicious-looking web traffic from the other side of the globe hitting your website...
Security
SACK Panic: What is it, and is it actually time to panic?
Four closely related vulnerabilities regarding TCP handling in the Linux and FreeBSD kernels were publicly disclosed on 17 June 2019...
Direct Server Return
15 years later, we still love DSR
For the uninitiated, Direct Server Return is a clever trick which entails directly routing packets to the chosen real server...