CRS is a set of generic blacklisting rules for the popular ModSecurity OSS WAF aiming to protect WebApps from attacks like the ones described by the OWASP Top 10.

The Core Rule Set (short: CRS) is a defense tool protecting web applications from being exploited by attackers. The rule set consists of over 150 elaborate patterns that are distributed under the Apache Software License (ASLv2). CRS is based on the open source ModSecurity Web Application Firewall and is considered the "1st Line of Defense" against web based attacks (as those described by the OWASP Top Ten). CRS is incorporated into various commercial products and installed on hundreds of thousands of webservers worldwide. CRS is a venerable OWASP project with a history spanning ten years. In late 2016, it saw a major release (CRS3) bringing big progress in terms of usability and new features like the Paranoia Mode aimed at high-security setups. CRS is being developed by a world-wide community with two of the core contributors, Franziska Bühler and Christian Folini, being based in Switzerland.

{ hacknight challenges }

See the OWASP ModSecurity Core Rule Set page to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. Find out how these rules are implemented on any of the webservers you use.

We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. Sign up for the mailing list to ask general usage questions and participate in discussions on the CRS. Join the #modsecurity channel on Freenode IRC to chat about the CRS.

We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log.

• Add notes on alert triggers / triggering payloads to comments of all the rules #918
• SQLi id:942100, false positive on combination of two chars #794
• Add base64 decoding for some rules #369

The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.