This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, May 5th, 2025, at 20:30 CET (CEST during summer in the Northern Hemisphere). That's the 1st Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

• New Rust based WAF coming that will have support for CRS: https://project-sniezka.ferronweb.org/
• The Open WAF Day will happen on May 28th! See https://owasp2025globalappseceu.sched.com/event/1zCJN/open-waf-day-crs-modsecurity-coraza

Inside development

Rules

• FIXME: Please fill in

CRS Sandbox

• Sandbox logs were cleaned up, and response times have really improved. There is a followup ticket to perform this with a cadence.

Security

• FIXME: Please fill in

Plugins

• FIXME: Please fill in

Documentation and Public Relations

• New blog post by @michelamaria 👏 https://coreruleset.org/20250415/false-negatives-false-positives-how-the-crs-team-decide-when-to-add-or-modify-rules-and-when-we-decide-not-to-add-them/

Project Administration and Sponsor relationships

• We had a meeting with our gold sponsor United Security Providers where we got a nice exchange of ideas and received suggestions.

Tools

• Important bug fix to regex generation fix: incorrect hex representation of Unicode characters (Example: \x2019 instead of \x{2019}) crs-toolchain#222

Testing incl. Seaweed and many future plans

• No news here.

Containers

• New release for CRS v4.14.0, nginx 1.28.0

Project discussions and decisions

• How should we address the issue here? Changed behavior with httpd/mod_security due outbound anomaly score resetting in v4.2.0 #3696
• Should we add stricter sibling to 954100? fix(954100): detect forward slash in path #4094
• Should we document --enable-request-early? Remove possiblity to disable early-blocking processing owasp-modsecurity/ModSecurity#3362
• Should we drop self? fix: remove self command #4111
• Should we use pmFromFile or regex for larger lists? There is already discussion here: #3229

Rules development, key project numbers

PRs that have been merged since the last meeting

• chore: improve new issue form #4084
• fix: false positive with title_strip_tags by moving strip_tags to 933160 #4105
• chore: post-release 4.15.0-dev #4109
• chore: release v4.14.0 #4108
• fix: remove .application from restricted extensions #4103
• docs: enable correct body processor when allowing content types #4097
• fix: 44J-250329 #4107
• fix(954100): detect forward slash in path #4094
• chore: update toolchain #4099
• fix: 932270 FP #3917
• chore(deps): update owasp/modsecurity-crs:apache docker digest to 0dd859b in tests/docker-compose.yml #4095
• chore(deps): update owasp/modsecurity-crs:nginx docker digest to d048c35 in tests/docker-compose.yml #4096

We merged 12 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• feat: add User-Agent and Referer into targets (942280 PL1) #4115
• feat: update java-classes.data #4080
• feat: added rule to detect Bash Brace Expansion #3780
• chore(deps): update ghcr.io/coreruleset/albedo docker tag to v0.2.0 in tests/docker-compose.yml #4114
• feat: update java-errors.data #4113
• feat: added detection for ASP.NET errors #4092
• refactor(942340): move to regex assembly #4014
• fix: remove self command #4111
• feat: detect generic config filenames #4102
• fix: create a stricter sibling to 932370 and move at to PL-2 (932370 PL-1, 932371 PL-2) #4015
• chore: add quant as comment #3925
• feat: Add product name tags #3960
• fix(test): move xss test from 942180 to 941210 #4012
• fix(932130): use lazy regex #3730
• fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
• feat: added detection for RCE via Referer header #3993
• feat: added detection for quote evasion #3813
• feat: added detection for ruby errors and code leakage #4089
• fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840
• chore: find rules without test #3881
• feat: accidental firewall disability prevention #3650

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.