Meet the CRS team: Andrew, the technical writer who loves Eurovision and Doom II

When invited to join the Core Rule Set project, Andrew Howe felt a bit intimidated by the highly talented team at first. Today he is a valued member of the CRS core team, bringing his experience as a technical writer and a CRS integrator. “Having people onboard with experience of running CRS at a large-scale would be very useful,” he says. What else he said, you can read in this interview.

Universe domination plans in Budapest - The CRS Developer Retreat 2023, day 1 

It’s hard to believe that it’s already been another year since the last OWASP ModSecurity Core Rule Set Developer Retreat in Varese near Milan in northern Italy. This year, the core team is meeting in the Hungarian capital Budapest from November 5th to 12th. The team members travelled from all directions – some got up inhumanly early, others flew across the Atlantic and still others had been travelling by train for two days … but not even the Deutsche Bahn could prevent all registered participants from arriving at the Hotel Nádas Pihenőpark by late afternoon on Sunday.

CRS version 4.0.0 release candidate 2 available

The OWASP ModSecurity Core Rule Set (CRS) team is proud to announce the availability of release candidate 2 (RC2) of the upcoming CRS v4.0.0 release. The release candidate is available for download as a ‘release’ from our GitHub repository: This new release candidate includes over 230 changes. Some of the important changes include: Add new rule 920620 to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (Andrea Menin) Extend definition of restricted headers to include Content-Encoding and Accept-Charset by default (Walter Hop) Migrate application exclusions and less-used functionality to plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) Add support for HTTP/3 (Jozef Sudolský) Add enable_default_collections flag to not initialize collections by default (Matteo Pace) Switch to using wordnet instead of spell for finding English words in spell.

CRS Performance Framework - A GSoC 2023 Project

This year, the OWASP ModSecurity Core Rule Set for the second time took part in the Google Summer of Code initiative. Google Summer of Code (GSoC) is a global online program focused on bringing new contributors into open-source software development. GSoC contributors work with an open-source organization of their choice on a 12+ week programming project under the guidance of the mentors from the organization. Dexter Chang had applied to the CRS project with a proposal for a performance framework.

libmodsecurity3 CVE-2023-38285 affecting CRS users

Many CRS users have probably read Trustwave’s recent announcement about the new version of libmodsecurity3 (aka ModSecurity v3) and the reason for the release: The new version of the WAF library fixes a CVE described issue, namely: “DoS Vulnerability in Four Transformations”. We would like to draw the attention of all CRS users who also use libmodsecurity3 to update the library as soon as possible. CRS uses one of the mentioned transformations (removeNull) in several rules.

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For downloads and installation instructions, please refer to the Installation page. This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers. Aside from the security fix, a few other minor, non-breaking changes and improvements are also included in this release.

CVE-2023-38199 – Multiple Content-Type Headers

The OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of multiple HTTP “Content-Type” header fields. As a result, on some platforms, it is possible to cause a CRS installation to process an HTTP request body differently (because of the different Content-Type) to how it would be processed by a backend web application. See the advisory at Update: CRS version 3.3.5 has now been released to address this vulnerability.

Follow the CRS project on YouTube

The OWASP CRS project has opened a YouTube channel. Here we plan to gather all videos that are relevant to the project. In the meantime, feel free to contact us if you think you have fitting content. And don’t forget to give a thumbs up to the videos and subscribe to the channel if you don’t want to miss any new content.

What we learnt from our bug bounty program: It's not for the faint of heart

A bug hunter’s collection with some nice specimens (Photo: OWASP CRS is the dominant open source web application firewall (WAF) rule set that powers countless servers, commercial WAFs and runs on many CDNs and cloud platforms. Yahoo and Intigriti helped OWASP CRS organize a three week bug bounty program in Spring 2022. A well prepared earlier attempt had not given any results, literally zero reports, so CRS walked into this 2nd round in a somewhat naive way.

A brief report on the CRS Community Summit 2023.

Question: What do programmers, security specialists and other IT nerds do on Valentine’s Day? Answer: they get together for the CRS Community Summit in Ireland. As in previous years, we used the OWASP Global AppSec Conference, which this year was held in Ireland’s capital, as an opportunity to call for our Community Summit on February 14, 2023. The plan was that two of the three co-leads would be present on site.