OWASP CRS
Project
The 1st Line of Defense
The OWASP® CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories.
Get latest: 4.8.0 Get previous major: 3.3.7
Getting Started
New Features in CRS 4
CRS 4 includes many coverage improvements, plus the following new features:
- Plug-in architecture allowing official and 3rd party plugins to integrate into CRS
- Early-Blocking option
- Over 500 individual rule bypasses closed following a big Bug Bounty project
- 🆕 Web shell detection
- Full RE2/Hyperscan compatibility for better performance
- Support for HTTP/3
- More granular reporting options
Supported Attack Categories
- SQL Injection (SQLi)
- Cross Site Scripting (XSS)
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- PHP Code Injection
- Java Code Injection
- HTTPoxy
- Shellshock
- Unix/Windows Shell Injection
- Session Fixation
- Scanner/Bot Detection
- Metadata/Error Leakages
Community
👋 Be part of a vibrant and welcoming community.
🗺️ Join us on Slack for discussions, see GitHub for our projects, or follow us on Twitter.
💯 Our dev-on-duty program financed by sponsors guarantees 1st level support via multiple channels.
💫 Annual develop retreats bring the developers together for a full week where we hack away at the rule set.
🤙 We are always looking for new contributors and developers.
CommunityLatest Blog Posts
- Securing the Maintenance of a CRS 4 LTS release
- The core team of the CRS project meets among squirrels and deer
- CRS versions 4.8.0 and 3.3.7 released
Call for Sponsors
We are looking for more Gold and Silver sponsors, not the least because we have big plans and we need support to make it happen. If you think that would be a win-win opportunity for your company or organization, then please get in touch with our sponsoring contact CRS co-lead Christian Folini via firstname dot lastname at owasp dot org.Gold Sponsors
Silver Sponsors
