OWASP CRS
Project

New Features in CRS 4

CRS 4 includes many coverage improvements, plus the following new features:

• Plug-in architecture allowing official and 3rd party plugins to integrate into CRS
• Early-Blocking option
• Over 500 individual rule bypasses closed following a big Bug Bounty project
• 🆕 Web shell detection
• Full RE2/Hyperscan compatibility for better performance
• Support for HTTP/3
• More granular reporting options

Supported Attack Categories

• SQL Injection (SQLi)
• Cross Site Scripting (XSS)
• Local File Inclusion (LFI)
• Remote File Inclusion (RFI)
• PHP Code Injection
• Java Code Injection
• HTTPoxy
• Shellshock
• Unix/Windows Shell Injection
• Session Fixation
• Scanner/Bot Detection
• Metadata/Error Leakages

Community

👋 Be part of a vibrant and welcoming community.

🗺️ Join us on Slack for discussions, see GitHub for our projects, or follow us on Twitter.

💯 Our dev-on-duty program financed by sponsors guarantees 1st level support via multiple channels.

💫 Annual develop retreats bring the developers together for a full week where we hack away at the rule set.

🤙 We are always looking for new contributors and developers.