Hacknight Challenges

OWASP ModSecurity Core Rule Set (CRS)

CRS is a set of generic blacklisting rules for the popular ModSecurity OSS WAF aiming to protect WebApps from attacks like the ones described by the OWASP Top 10.

The Core Rule Set (short: CRS) is a defense tool protecting web applications from being exploited by attackers. The rule set consists of over 150 elaborate patterns that are distributed under the Apache Software License (ASLv2). CRS is based on the open source ModSecurity Web Application Firewall and is considered the "1st Line of Defense" against web based attacks (as those described by the OWASP Top Ten). CRS is incorporated into various commercial products and installed on hundreds of thousands of webservers worldwide. CRS is a venerable OWASP project with a history spanning ten years. In late 2016, it saw a major release (CRS3) bringing big progress in terms of usability and new features like the Paranoia Mode aimed at high-security setups. CRS is being developed by a world-wide community with two of the core contributors, Franziska B├╝hler and Christian Folini, being based in Switzerland.

{ hacknight challenges }

See the OWASP ModSecurity Core Rule Set page to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. Find out how these rules are implemented on any of the webservers you use.

We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. Sign up for the mailing list to ask general usage questions and participate in discussions on the CRS. Join the #modsecurity channel on Freenode IRC to chat about the CRS.

Join the chat at

We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log.

The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.

Hacknight Challenges

Projects in need of patching, ideas of things to start - put your thinking caps on and take part in an open source challenge presented at the DINAcon 2017 Hacknight! Contact us, or just add one of your own after logging in here.

We recommend that every Challenge proposes tasks on several levels:

Level 1 challenge NEWBIE challenges about becoming a user of a product/project and learning the ropes.

Level 2 challenge INTERMEDIATE tasks for people with experience in the project and/or the technical domains involved.

Level 3 challenge EXPERT challenges will include things like security testing, performance optimisation and other advanced topics.

Updated 07:18 20.10.2017 / Maintained by franbuehler

  • 07:18 20.10.2017 / oleg / update
  • 08:54 18.10.2017 / oleg / update
  • 08:46 18.10.2017 / oleg / update
  • 08:46 18.10.2017 / oleg / update
  • 08:45 18.10.2017 / oleg / update