OWASP CRS 4.21.0 released
The Open Web Application Security Project has announced a new release of the Core Rule Set (OWASP CRS), specifically version 4.21.0, for ModSecurity or compatible web application firewalls. This update touches on security enhancements and operational fixes for the widely used WAF rule set.
A major change is enhanced IPv6 scanning capabilities, bringing in methods like XML scan and SSH scheme detection, really expanding its reach internationally now. They've also tightened things up by adding more restricted file extensions; it's another move to close off potential attack avenues.
For those keeping track of the rules' day-to-day performance, several new unit tests have been added recently. This should help prevent overzealous triggering and ensure that real threats are caught accurately. There was some work on internal stuff too: fixing double comments here or there within rule logic, correcting function name mismatches elsewhere, and patching bypass attempts that tried to use content-type evasion tactics.
Crucially for users with .NET sites, the documentation now includes guidance on disabling the Expect header again, something important but maybe easily overlooked before. And some rules have been relocated into pl-2 space, which likely keeps things cleaner within the CRS itself and avoids interference with detection lists in other areas.
Release OWASP CRS v4.21.0
What's Changed
New features and detections
feat(931100): add IPv6 support / XML scan and SSH scheme. by @touchweb-vincent in #4321 feat(920440): add new restricted file extensions by @touchweb...
