Open
Description
This is the Agenda for the Monthly CRS Chat.
The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, June 2th, 2025, at 20:30 CET (CEST during summer in the Northern Hemisphere). That's the 1st Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).
Archived previous meetings and their decision are here.
What happened in the meantime since the chat last month
Outside development
Inside development
- The Open WAF Day had very interesting presentations, we'll be uploading them to our website soon.
Rules
- No new here.
CRS Sandbox
- No new here
Security
- No news here.
Plugins
- No news here.
Documentation and Public Relations
- No news here
Project Administration and Sponsor relationships
- We are in talks with a possible new sponsor 🎉
Tools
- Working on refactoring go-ftw to improve maintainability
- Working on a new feature: setting expected status codes globally for cloud mode (cloud mode test always success go-ftw#467)
Testing incl. Seaweed and many future plans
- No news here.
Containers
- Released new versions with ModSecurity and ModSecurity-nginx updates
Project discussions and decisions
- We got this PR for SSTI at PL2:
@rx ({{.*}}|{%.*%}|<%[=]?.*%>). A very similar rule 941380 already exists at PL2:@rx {{.*?}}. Do we want to drop the rule 941380 and create this new rule in file 934-attack-generic instead of 941-xss? Or do we extend the existing rule 941380 witht:removeWhiteSpaceand maybe other characteristics mentioned in the PR?
Rules development, key project numbers
PRs that have been merged since the last meeting
- feat: remove exclusion of deprecated
__utmcookies #4151 - feat: 933120 change from capture and double
pmfto regex #4138 - feat: 933151 change from capture and double
pmfto regex #4139 - fix: update security reporting #4148
- chore(deps): update owasp/modsecurity-crs:apache docker digest to 8ae18e1 in tests/docker-compose.yml #4146
- chore(deps): update owasp/modsecurity-crs:nginx docker digest to 98862ac in tests/docker-compose.yml #4147
- fix: add word ending to unix command sendmail (932235 PL1, 932236 PL2, 932239 PL2, 932260 PL1) #4141
- fix: false positives with session tokens/cookies 933150 #4142
- feat: remove unnecessary character class from 933151 #4135
- docs: fix flag in gpg command #4133
- feat: block database yaml files #4130
- chore(deps): update owasp/modsecurity-crs:nginx docker digest to 244f4ad in tests/docker-compose.yml #4127
- chore(deps): update owasp/modsecurity-crs:apache docker digest to 0e9b787 in tests/docker-compose.yml #4126
- fix: remove rc shell to reduce FPs #4125
- feat: update
java-classes.data#4080
We merged 15 PRs since the last monthly project chat.
Open PRs
Open PRs marked DRAFT or work in progress or needs action
- feat: detect generic config filenames #4102
- feat: remediation for Python SSTI #4145
- fix: create a stricter sibling to 932370 and move
atto PL-2 (932370 PL-1, 932371 PL-2) #4015 - feat: added rule to detect Bash Brace Expansion #3780
- feat: update
java-errors.data#4113 - feat: added zmodload and sudo-rs #4143
- chore: add quant as comment #3925
- feat: Add product name tags #3960
- fix(test): move xss test from 942180 to 941330 #4012
- feat: added detection for ruby errors and code leakage #4089
- feat: added detection for RCE via Referer header #3993
- chore: update restricted-upload-data with crs-toolchain #4117
- feat: accidental firewall disability prevention #3650
- fix(932130): use lazy regex #3730
- chore: find rules without test #3881
- feat: added detection for quote evasion #3813
- fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
- fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840
- refactor(942340): move to regex assembly #4014
- feat: added detection for ASP.NET errors #4092
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
Everybody is welcome to join our community chat.