Security researchers can now test payloads against the OWASP ModSecurity Core Rule Set with a new sandbox released by the project maintainers. The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. A sandbox API was created following “regular” conversations with security researchers about how they can use the CRS. The code behind the CRS sandbox was inspired by a meeting with PortSwigger’s James Kettle and Gareth Hayes at AppSec Amsterdam in 2019.
The sandbox, which is free to use, is hosted on AWS and collects logs, though the IP addresses will be anonymized. Plans for future features include the ability to create a users’ ‘hall of fame’ and share information on payloads with others.