OWASP CRS 4.20.0 released
A new version of the OWASP CRS (Core Rule Set), 4.20.0, has been released, providing enhanced protection for web applications against a wide range of attacks, including those identified in the OWASP Top Ten.
The OWASP CRS is a set of generic attack detection rules designed to be used with ModSecurity or compatible web application firewalls, aiming to minimize false alerts while effectively detecting malicious activity. This release includes several important updates and improvements that aim to enhance the security posture of web applications.
Some notable changes in this version include new features and detections added by various contributors. The restricted file extensions have been updated as part of a feature request. Additionally, configuration files for PrestaShop 1.6/1.7/8+ and Magento 2 have been added, along with updating the list of restricted headers to include "expect" headers.
This update is expected to improve detection capabilities in various scenarios by adding "expect header" to the list of restricted headers.
Other significant changes include bug fixes contributed by multiple developers. Several issues were fixed, including missing capture keywords, reducing false positive matches with JSON payloads, and correcting the behavior for specific attacks. A known issue related to high-risk false positives was also addressed by reverting a previous change.
Coreruleset/coreruleset Release v4.20.0
What's Changed
New features and detections
feat: update restricted file extensions by @EsadCetiner in #4287 feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8+ & Magento 2 by @touchwe...
