This blog post is a brief review of the ModSecurity Handbook - 2nd edition.
I have been working in the WAF industry for quite a long time. My main interest is WAF evasions, where I worked on the popular "Evading All WAF XSS Filters" research. On 2015, the results of the research showed that ModSecurity (with CRS) is the most difficult to evade, according to my testing.
After I finished my research, I became interested on ModSecurity and the OWASP Core Rule Set.
The problem that I faced during working with ModSecurity is that most resources online are outdated, and does not fulfill my requirements at work. My alternative was the first release of the handbook, which was released in 2012. The book is a good learning resource, but ModSecurity has faced major changes during the years. I needed a more updated resource.
In December 2016, Dr. Christian Folini announced the finishing of the second release of ModSecurity handbook. I was really excited to get my copy, as OWASP CRS 3.0 was released two months before. The book is not just only updated with up-to-date resources, it also covers the OWASP CRS 3.0, which is excellent in my opinion.
The first chapters discusses beginner topics regarding WAFs and ModSecurity. Then it dives into configuring ModSecurity on different web-servers. After that it, discusses the customizing of logs to fit the administrator's requirements.
From there, the book starts on my favorite set of chapters, writing your own custom rules. It's discussed extensively; probably the most thorough documented rules writing guidance for ModSecurity.
It's great to be able to write your own WAF rules for ModSecurity. The CRS is quite generic to typical attacks, but writing rules that is specific to exploit is quite needed for any defender. The chapter discusses writing WAF rules extensively. By having typical knowledge of regular expressions and reading this chapter, you would be able to write your own WAF rules.
The book also discusses the performance part of ModSecurity, and how to tweak ModSecurity to perform better with available resources.
To conclude, in my opinion, ModSecurity handbook is a must-read book for any defender, and anyone working on the technical side in the WAF industry. ModSecurity in general performs core tasks and requires good knowledge on configuration and administration. Being able to work with ModSecurity would allow you to work with other WAFs in an easier manner.
Amazon Link: https://www.amazon.com/ModSecurity-Handbook-Second-Christian-Folini/dp/1907117075
FeistyDuck Link: https://www.feistyduck.com/books/modsecurity-handbook/