Blog

libmodsecurity3 CVE-2023-38285 affecting CRS users

Many CRS users have probably read Trustwave's recent announcement about the new version of libmodsecurity3 (aka ModSecurity v3) and the reason for the release: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ The new version of the WAF library fixes a CVE described issue, namely: "DoS Vulnerability in Four Transformations". We would like to draw the attention of all CRS users who […]

libmodsecurity3 CVE-2023-38285 affecting CRS users Read More »

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For downloads and installation instructions, please refer to the Installation page. This is a security release which fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and

CRS version 3.3.5 released Read More »

What we learnt from our bug bounty program: It’s not for the faint of heart

OWASP CRS is the dominant open source web application firewall (WAF) rule set that powers countless servers, commercial WAFs and runs on many CDNs and cloud platforms.  Yahoo and Intigriti helped OWASP CRS organize a three week bug bounty program in Spring 2022. A well prepared earlier attempt had not given any results, literally zero

What we learnt from our bug bounty program: It’s not for the faint of heart Read More »

Meet the CRS team: Fränzi, the puzzle-loving hard worker with a mission

Franziska Bühler doesn't feel too comfortable in the limelight. The CISO of a Swiss mid-sized IT company rather likes to work through lists of hundreds of bypasses than being at the forefront. Talking to her, it gets clear quickly: Fränzi loves a challenge. “Once I set my mind to something, I follow through,” she says.

Meet the CRS team: Fränzi, the puzzle-loving hard worker with a mission Read More »