OWASP CRS
Project
The 1st Line of Defense
The OWASP® CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories.
Get latest: 4.9.0 Get previous major: 3.3.7Getting Started
New Features in CRS 4
CRS 4 includes many coverage improvements, plus the following new features:
- Plug-in architecture allowing official and 3rd party plugins to integrate into CRS
- Early-Blocking option
- Over 500 individual rule bypasses closed following a big Bug Bounty project
- 🆕 Web shell detection
- Full RE2/Hyperscan compatibility for better performance
- Support for HTTP/3
- More granular reporting options
Supported Attack Categories
- SQL Injection (SQLi)
- Cross Site Scripting (XSS)
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- PHP Code Injection
- Java Code Injection
- HTTPoxy
- Shellshock
- Unix/Windows Shell Injection
- Session Fixation
- Scanner/Bot Detection
- Metadata/Error Leakages
Community
👋 Be part of a vibrant and welcoming community.
🗺️ Join us on Slack for discussions, see GitHub for our projects, or follow us on Twitter.
💯 Our dev-on-duty program financed by sponsors guarantees 1st level support via multiple channels.
💫 Annual develop retreats bring the developers together for a full week where we hack away at the rule set.
🤙 We are always looking for new contributors and developers.
CommunityLatest Blog Posts
- Securing the Maintenance of a CRS 4 LTS release
- The core team of the CRS project meets among squirrels and deer
- CRS versions 4.8.0 and 3.3.7 released