This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, April 7th, 2025, at 20:30 CET (CEST during summer in the Northern Hemisphere). That's the 1st Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

• 🚀 The first Open WAF Day is going to happen in OWASP Global AppSec EU 2025 in Barcelona on Wednesday May 28th!

Inside development

Rules

CRS Sandbox

• 🔧 Sandbox was fixed and now it is running with the latest CRS version.

Security

Plugins

Documentation and Public Relations

Project Administration and Sponsor relationships

• 💬 We are discussing with two potential sponsors for 2025
• ✍️ Q1 2025 ended last week: DoD payments for Q1 will be submitted this week

Tools

Testing incl. Seaweed and many future plans

• No news here.

Containers

• No news is good news: our test suite is running with the latest container builds and so far no complaints from users

Project discussions and decisions

• Consider adding support for Ruby as requested in issue #4074
• Should we add JavaScript methods import and fetch to 941390? PR #4076
  • They are common English words although there is only one known false positive according to ftw quantitative: If you’re looking for a personal recommendation, if you’re willing to import (and perhaps wait around, as they often sell out line has been consistently excellent so far.. There are already other common English words in the rule such as alert, confirm, and prompt.

Rules development, key project numbers

PRs that have been merged since the last meeting

• feat: detect javascript methods import fetch console.log console.dir #4076
• chore: added new issue template #4065
• chore: reenable testing of 920390 #4085
• feat: detect compressed database dumps #4082
• fix: quote label in new issue template #4083
• fix: don't block ttf font files #4081
• fix: fixing FPs related to rule 951220 #4079
• fix: incorrect id for 932230-58 #4018
• feat: add more default session cookie names #4062
• feat: detect ASP web shells #4063
• ci: disable fail fast in regression tests, bump go-ftw #4072
• fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) #4019
• fix(security): fixing double URL decode of REQUEST_URI #4047
• chore: post-release v4.14.0-dev #4071
• chore: release v4.13.0 #4070
• feat: add additional files commonly accessed by bots #4069
• feat: add potential malicious file extensions into tx.restricted_extensions #4068
• feat: refresh restricted-upload.data #4046
• feat: adding .dist and .dpkg-dist into tx.restricted_extensions #4057
• fix: added pre-check of unset TX variable #4066
• fix: tag inconsistency per file #4031
• feat: block header related to CVE-2025-29927 (Next.js) #4053
• feat: remove rule 952100 for detecting Java Source Code Leakage #4052
• feat: added new XSS payloads #4055
• chore(deps): update ghcr.io/coreruleset/albedo docker tag to v0.1.0 in tests/docker-compose.yml #4042
• test: default to HTTP/1.1 protocol version for all tests instead of HTTP/1.0 #4043
• fix: use boundary to fix false positive with email [email protected] #4045
• fix: rule 930110 is not supposed to match bare '..' without (back)slashes #4050
• chore(deps): update owasp/modsecurity-crs:apache docker digest to d6aba0e in tests/docker-compose.yml #4048
• chore(deps): update owasp/modsecurity-crs:nginx docker digest to 9094979 in tests/docker-compose.yml #4049

We merged 30 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840
• chore: find rules without test #3881
• feat: accidental firewall disability prevention #3650
• fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
• feat: added detection for RCE via Referer header #3993
• chore: improve new issue form #4084
• feat: update java-classes.data #4080
• fix: 932270 FP #3917
• refactor(942340): move to regex assembly #4014
• fix(932130): use lazy regex #3730
• feat: added rule to detect Bash Brace Expansion #3780
• fix: create a stricter sibling to 932370 and move at to PL-2 (932370 PL-1, 932371 PL-2) #4015
• feat: added detection for quote evasion #3813
• fix(test): move xss test from 942180 to 941210 #4012
• chore: add quant as comment #3925
• feat: Add product name tags #3960

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.