Skip to content

v4.0.0
Compare
Choose a tag to compare
@fzipi fzipi released this 14 Feb 17:31
v4.0.0
1d95422
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

This is the OWASP CRS version 4.0.0.

Important changes:

  • feat: introduce plugin architecture for extending CRS and minimizing attack surface. (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) [#2038, #2448, #2404]
  • feat: migrate application exclusions and less-used functionality to plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe)
  • feat: introduce early blocking option (Christian Folini) [#1955]
  • feat: introduce new rule file/category to detect use of common web shells in responses (955100-955340 PL1, 955350 PL2) (Jozef Sudolský, Andrea Menin) [#1962, #2039, #2116]
  • feat: rename 'Node.js' category to 'generic' (Felipe Zipitría) [#2340]
  • feat: make all formerly PCRE-only regular expressions compatible with RE2/Hyperscan regular expression engines (Max Leske, Felipe Zipitría, Allan Boll, Franziska Bühler) [#1868, #2356, #2425, #2426, #2371, #2372]
  • feat: add support for HTTP/3 (Jozef Sudolský) [#3218]
  • feat: add granular control over reporting levels in 9801xx rules (Simon Studer, Andrew Howe, Christian Folini) [#2482, #2488]
  • feat: add new rule to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (920620 PL1) (Andrea Menin) [#3237]
  • feat: add enable_default_collections flag to not initialize collections by default (Matteo Pace) [#3141]
  • feat: extend definition of restricted headers to include Content-Encoding and Accept-Charset by default (920450 PL1, 920451 PL2) (Walter Hop) [#2780, #2782]
  • feat: drop HTTP/0.9 support to resolve FP (Federico G. Schwindt) [#1966]
  • fix: refactor and rename anomaly scoring variables and paranoia level definition (Simon Studer) [#2417]
  • tests: complete goal of 100% test coverage for rules (entire team, Juan-Pablo Tosso, NiceYouKnow)
  • feat: switch to using WordNet instead of spell for finding English words in spell.sh (Max Leske) [#3242]
  • feat: publish nightly packages regularly (Felipe Zipitría) [#2207]

Tool changes:

  • feat: extend spell.sh script with an opt-in manual list of common and partial words. (Matteo Pace) [#3273]
  • feat: rework spell.sh utility to help with detection of false positives English words (Andrea Menin) [#3029]
  • feat: improve usability of spell.sh utility (Max Leske) [#3238]
  • feat: extend rules-check.py script to better enforce rule format in project guidelines (Ervin Hegedus) [#3113]
  • feat: extend rules-check.py script to ensure that auditLogParts is only used in last chained rule (Ervin Hegedus) [#2609]
  • feat: extend rules-check.py script to ensure that rules use @rx operator explicitly (Ervin Hegedus) [#2541]
  • feat: extend rules-check.py script to strip comments when parsing crs-setup.conf.example (Ervin Hegedus) [#3161]
  • feat: add utility to change version numbers (Ervin Hegedus) [#2085]
  • feat: add utility script to find rules without tests (Ervin Hegedus) [#2279]
  • feat: add crs-rules-check tool that runs sanity checks against rules (Ervin Hegedus) [#2236]
  • feat: add utility to find longest data lengths (Ervin Hegedus) [#2277]
  • feat: improve rule-ctl script to modify rules (Max Leske) [#2193]
  • feat: improve unique ID matching and documentation in send-payload-pls.sh (Manuel Spartan) [#2288]
  • feat: unify regexp utils to automate error-prone actions and automatically update rules from regular expression sources (Max Leske) [#2149, #2223, #2423, #2495, #2489, #2473]
  • fix: adjust log directories needed for volume mounts to Git (Max Leske) [#2103]
  • fix: replace backend docker container for tests to fix JSON Unicode reflection (Max Leske) [#3464]
  • feat: add new test method: check for tags on rules against allowlist (Ervin Hegedus) [#3437]

Changes with direct rule impact (sorted by lowest rule ID per change where available):

  • feat: add placeholder files for new plugin architecture (Walter Hop) [#2515]
  • feat: check initialization and use for all TX variables (Ervin Hegedus) [#3043]
  • feat: extend rule to detect restricted method override headers (Mark Zeman / KramNamez) [#3056]
  • feat: extend rules to detect keyword time as prefix of *nix and Windows RCE rules (rules later replaced) (Franziska Bühler) [#2819]
  • feat: improve Unix shell evasion prefix (various rules) (Jitendra Patro, Max Leske) [#3518]
  • feat: improve performance by removing unnecessary lowercase transformations (various rules) (Jozef Sudolský) [#2106]
  • feat: add additional prefix commands to 'unix-shell-evasion-prefix' (various rules) (Jitendra Patro) [#3557
  • feat: consolidate 'unix-evasion-prefix*' files to ensure they don't diverge (various rules) (Franziska Bühler, Max Leske, Andrew Howe) [#3531]
  • feat: move regexp-assemble data files to root directory (Felipe Zipitría) [#3002]
  • feat: move rules to the earliest phase possible based on their inputs (various rules) (Ervin Hegedus) [#1941]
  • feat: remove superfluous 'urlDecodeUni' transformations (various rules) (Federico G. Schwindt) [#1845]
  • feat: rename 'tx.blocking_early' to 'tx.early_blocking' (various rules) (Christian Folini) [#2414]
  • feat: simplify regular expressions by replacing upper-case with lower-case matches if the expression is case-insensitive (various rules) (Felipe Zipitría) [#2485]
  • feat: remove SecCollectionTimeout from crs-setup.conf (Christian Folini) [#3559]
  • fix: do not log 'MATCHED_VAR' when the it contains the full response body (various rules) (Jozef Sudolský) [#1985]
  • fix: do not unnecessarily escape forward slashes in regular expressions (various rules) (Federico G. Schwindt) [#1842]
  • fix: reformat several initialization rules to follow project guidelines (Ervin Hegedus) [#3157]
  • fix: remove auditLogParts actions from all rules where present (Andrea Menin, Ervin Hegedus) [#3034, #3081]
  • fix: remove uncommon Content Types from default in crs-setup.conf.example (Andrea Menin) [#2768]
  • fix: update diverse rules to follow new naming convention with paranoia level TX variables (Christoph Hansen) [#2937]
  • fix: update various rules to consolidate use of backslashes to \x5c representation for better compatibility with known WAF engines (various rules) (Andrew Howe, Max Leske) [#2335, #2345, #2375, #2376, #2399, #2400, #2402, #2410, #2420, #2441, #2442, #2454, #2426]
  • fix: remove initialization rules for redundant IP reputation variables (901150, 901152) (Andrew Howe) [#2833]
  • fix: initialize all variables used properly (901169) (Ervin Hegedus) [#2802]
  • feat: improve sampling mode efficiency (901410, 901420, 901440) (Paul Beckett) [#2094]
  • fix: replace uses of 'ctl:ruleEngine=Off' with "ctl:ruleRemoveByTag=OWASP_CRS" to accomodate more than one ruleset (901450, 905100, 905110) (Jozef Sudolský) [#2156]
  • feat: remove old, commented-out IP reputation check rule (910110 PL1) (Paul Beckett) [#2148]
  • feat: detect 'burpcollaborator' scanner (913100 PL1) (Amir Hosein Aliakbarian) [#2152]
  • feat: detect 'httpx' scanner (913100 PL1) (Will Woodson) [#2045]
  • feat: detect 'LeakIX' scanner (913100 PL1) (Jozef Sudolský) [#1961]
  • feat: detect 'QQGameHall' malware (913100 PL1) (Walter Hop) [#2144]
  • feat: detect User-Agent of Tsunami Security Scanner (913100 PL1) (@hoexter) [#3480]
  • fix: avoid FP for YAM package manager (913100 PL1) (Jozef Sudolský) [#2022]
  • fix: move 'ecairn' from scanners to crawlers (913100 PL1) (Felipe Zipitría) [#2408]
  • feat: detect 'CensysInspect' and seoscanners.net crawlers (913102 PL2) (Andrew Howe) [#2155]
  • feat: detect 'ecairn' crawler (913102 PL2) (Jozef Sudolský) [#2024]
  • feat: detect 'Krzana' bot (913102 PL2) (Deepshikha Sinha) [#2432]
  • fix: remove rule to detect security scanner http headers (913110 PL1) (Christian Folini) [#3241]
  • feat: remove ineffective anti-scanner list scanners-urls.data and associated rule (913120 PL1) (Christian Folini) [#3235]
  • fix: correct the regular expression assembly (920120 PL1) (Max Leske) [#2333]
  • feat: increase rule score from warning to critial (920220 PL1) (Max Leske) [#3512]
  • fix: reduce FPs by handling the last path segment separately in new rule (920220 PL1, 920221 PL1) (Max Leske) [#3512]
  • fix: reduce FPs by matching on decoded variables (920220 PL1) (Max Leske) [#3512]
  • feat: prevent FPs by moving rule to higher PL (920240 PL2) (Max Leske) [#3506]
  • feat: valiadate 'SEC-CH-UA' and 'SEC-CH-UA-MOBILE' request headers (920274 PL4) (Chaim Sanders) [#1970]
  • fix: use the right kind of validation for 'Sec-CH-UA' and 'Sec-CH-UA-Mobile' request headers (920274 PL4, 920275 PL4) (somechris) [#2028]
  • fix: make validatioin of 'Sec-Fetch-User' header more strict (920275 PL4) (somechris) [#2020]
  • feat: move rule from PL2 to PL3 (920300 PL3) (Franziska Bühler) [#2013]
  • fix: amend rule to exclude CONNECT requests from requiring an Accept header (920300 PL3) (Andrew Howe) [#2297]
  • feat: add IPv6 to the 'Host header is a numeric IP address' check (920350 PL1) (itsTheFae, Ervin Hegedus, Jozef Sudolský) [#1929]
  • fix: avoid FP on '.axd' in restricted extensions, these are public (920440 PL1) (Jozef Sudolský) [#1925]
  • feat: rework restricted headers mechanism into two separate lists (920450 PL1, 920451 PL2) (Andrew Howe) [#3152]
  • fix: avoid FP in 'application/*+json' Content-Type (920470 PL1) (Mirko Dziadzka, Walter Hop) [#2455]
  • fix: avoid FP in CalDAV Content-Type (920470 PL1) (Vandan Rohatgi) [#2505]
  • fix: avoid FP in 'Content-Type' header with '#' character (920470 PL1) (Jozef Sudolský) [#1856]
  • fix: avoid FP on 'version' string in Content-Type header (920470 PL1) (Jozef Sudolský) [#1901]
  • fix: resolve false negative when matching against allowed charsets variable (920480 PL1) (katef, Federico G. Schwindt) [#1957]
  • fix: replace unnecessary capture groups in regular expressions with non-capturing groups (920510 PL3, 932200 PL2, 942510 PL2, 942511 PL3) (Federico G. Schwindt) [#1983]
  • feat: improve explanatory rule comments (920520 PL1) (Max Leske) [#2391]
  • feat: validate 'Accept-Encoding' header (920520 PL1, 920521 PL3) (Franziska Bühler) [#2357]
  • feat: new rule detect multiple occurrences of charset keyword in content type header (920530 PL1) (Jan Gora / terjanq) [#2571]
  • feat: new rule to detect Unicode character bypass check for non JSON requests (920540 PL1) (Franziska Bühler, 0SPwn) [#2512]
  • feat: new rule to detect # char in URIs (920610 PL1) (Karel Knibbe) [#2919]
  • fix: use correct anomaly scoring variables and paranoia level tags across several rules (921170 PL1, 921220 PL4, 932220 PL2, 932331 PL3, 933211 PL3, 934101 PL1, 942362 PL2, 951100) (Christoph Hansen) [#2931]
  • feat: new rules to detect HTTP parameter pollution bypasses (921210 PL3, 921220 PL4) (Christian Folini) [#2747]
  • fix: use correct anomaly scoring variables and paranoia level tags across several rules (921220 PL4, 932101 PL2, 932331 PL3, 933211 PL3, 942362 PL2) (Ervin Hegedus) [#2832]
  • feat: new rule to detect range header that is now forbidden on PL3 and up (921230 PL3) (Christian Folini) [#2760]
  • feat: new rule to detect mod_proxy attack (CVE-2021-40438) (921240 PL1) (Franziska Bühler) [#2818]
  • fix: add urlDecodeUni transformation rules with REQUEST_URI / REQUEST_BASENAME in phase 1 (921240 PL1, 920440 PL1, 920201 PL2, 920202 PL4) (Christian Folini) [#3411]
  • feat: new rules to detecting ModSecurity body processor confusion using the Content-Type HTTP header (921421 PL1, 921422 PL2) (Simon Studer, Ervin Hegedus) [#2763]
  • fix: handle false positives when detecting ModSecurity body processor confusion (921422 PL2) (Ervin Hegedus) [#2784]
  • feat: new rules detecting attacks on multipart headers (922100 PL1, 922110 PL1, 922120 PL1) (Felipe Zipitría) [#2769]
  • fix: prevent unintended match of character set substrings in multipart/form-data requests (922100 PL1) (Jozef Sudolský) [#3470]
  • feat: remove redundant t:lowercase for a little performance (922110 PL1) (Jozef Sudolský) [#3469]
  • fix: remove possessive quantifiers (922110 PL1) (Felipe Zipitría) [#2989]
  • fix: update comments (922110 PL1, 942440 PL2) (Jozef Sudolský) [#3468]
  • fix: add missing quotes at the end of action lists (930050) (Ervin Hegedus) [#2184]
  • feat: disassemble regular expression (930100 PL1) (Andrew Howe) [#2298]
  • fix: detect path traversal in uploaded file names (930100 PL1, 930110 PL1) (k4n5ha0, Franziska Bühler, Felipe Zipitría) [#2451]
  • fix: detect triple dot path traversal (930100 PL1, 930110 PL1) (Franziska Bühler) [#2309, #2310]
  • feat: extended rule to detect Tomcat specific path traversal attack (930110 PL1) (Christoph Hansen) [#2915]
  • fix: avoid FP for '..' without slashes (930110 PL1) (Tetrik, Walter Hop) [#2016]
  • feat: block access to AWS CLI files (930120 PL1, 930121 PL2) (Jozef Sudolský) [#2439]
  • feat: block access to extended list of sensitive files (930120 PL1, 930121 PL2, 930130 PL1) (Jozef Sudolský) [#1960]
  • feat: detect /proc and /sys access attempts (930120 PL1, 930130 PL1) (Andrew Howe) [#2154]
  • feat: extend rule to detect access attempts to /tmp/ (930120 PL1, 930121 PL2) (Max Leske) [#3131]
  • feat: extend rule to detect ECDSA type SSH identity files via list of sensitive *nix files (930120 PL1) (Pinaki Mondal / 0xInfection) [#2586]
  • fix: avoid detecting Google OAuth2 callback requests as malicious (930120 PL1, 930121 PL1) (Jozef Sudolský, Christian Folini) [#1958]
  • feat: extend rule to detect additional sensitive files on *nix systems (930121 PL2, 930130 PL1) (Gwendal Le Coguic / gwen001) [#2560]
  • feat: new rules to detect LFI and SQLi in user-agent and referer request headers (930121 PL2, 942152 PL2, 942321 PL2) (Franziska Bühler, Max Leske, Shivam Bathla) [#3102]
  • fix: extend rule to detect more LFI (930121 PL2) (Felipe Zipitría) [#2791]
  • feat: add BlockCypher.log to restricted-files.data (930130 PL1) (Jozef Sudolský) [#3501]
  • feat: add 'sslvpn_websession' to restricted-files.data (930130 PL1) (Jozef Sudolský) [#2338]
  • feat: add .vscode to restricted-files.data (930130 PL1) (Frederik Himpe) [#3471]
  • feat: extend data file to include additional restricted file names (restricted-files.data, 930130 PL1) (Jitendra Patro) [#3219]
  • feat: extend data file to include PrestaShop configuration file (restricted-files.data, 930130 PL1) (Jean-François Viguier) [#3192]
  • feat: extend rule to detect npm-shrinkwrap.json to restricted-files (930130 PL1) (Esa Jokinen / oh2fih) [#2627]
  • fix: block access to the Java-related WEB-INF directory (930130 PL1) (Jozef Sudolský) [#2092]
  • fix: remove duplicate keyword (930130 PL1) (Jozef Sudolský) [#3517]
  • feat: extend rules to detect additional protocols in RFI attacks (931130 PL2, 934120 PL2) (Karel Knibbe) [#2572]
  • feat: extend rule to detect url:file: schema in Java RFI attacks (931130 PL2) (Andrew Howe) [#2727]
  • fix: add local_file scheme from Python 2 (931130 PL2, 934120 PL2) (Felipe Zipitría) [#2809]
  • fix: close userinfo-based bypass (931130 PL2) (Andrea Menin) [#2479]
  • feat: new rule to detect path traversal attacks using URL encoded URL schemes in Java applications (931131 PL2) (Christoph Hansen) [#2902]
  • feat: extend rule to detect additional *nix shell commands (931160 PL1) (Gwendal Le Coguic / gwen001) [#2563]
  • feat: disassemble complex regexes for 932xxx rules that were subsequently replaced by other rules (Max Leske) [#2566]
  • feat: detect additional Unix RCE commands (932100 PL1, 932105 PL1) (Felipe Zipitría) [#2129]
  • feat: extend rule to detect additional entries to *nix command lists (932100 PL1, 932105 PL1) (Finn Westendorf / wfinn) [#2552]
  • feat: extend rule to detect additional *nix commands (932100 PL1) (Felipe Zipitría) [#2676]
  • feat: improve and extend cmdline processor to find more evasions (932100 PL1, 932105 PL1, 932230 PL1, 932150 PL1, 932175 PL1, 932220 PL2, 932240 PL1, 932106 PL3) (Felipe Zipitría) [#2907]
  • fix: avoid false positive with certain HTML character entities (932100 PL1) (Franziska Bühler) [#1954]
  • feat: move *nix command injection rule 932101, 932106 into the same range as the other *nix command injection rules (932231 PL2, 932232 PL3) (Felipe Zipitría, Max Leske) [#3092]
  • feat: extend rule to detect additional *nix commands (932105 PL1) (Felipe Zipitría) [#2677]
  • feat: extend rule to detect mshta in Windows shell commands (932110 PL1) (Somdev Sangwan / s0md3v) [#2588]
  • feat: new Windows commands rules based on lolbas-project replacing 932110, 932115 (932370 PL1, 932380 PL1) (Felipe Zipitría, Franziska Bühler, Max Leske) [#3059, 3170]
  • fix: avoid false positive on 'sort' (932115 PL1) (Franziska Bühler) [#2012]
  • feat: detect 'Invoke-WebRequest' command (932120 PL1) (Paul Beckett) [#2271]
  • feat: extend rule to detect additional PowerShell cmdlet on Windows (932120 PL1) (Pinaki Mondal / 0xInfection) [#2589]
  • feat: extend rule to detect PowerShell RCEs better via new automation (932120 PL1) (Felipe Zipitría) [#2669]
  • feat: new rule to detect Windows cmdlet aliases (932125 PL1) (Pinaki Mondal / 0xInfection) [#2589]
  • fix: extend rule to detect character class *nix expressions (932130 PL1) (Somdev Sangwan / s0md3v, Walter Hop) [#2594]
  • feat: new rules to detect Log4j / Log4Shell attacks (932131 PL2, 944150 PL1, 944151 PL2, 944152 PL4) (Christian Folini, Max Leske) [#2349]
  • fix: prevent false positives against brackets in User-Agent header (932131 PL2) (Max Leske) [#3486]
  • feat: extend rule to detect busybox, $SHELL, and ${SHELL} in *nix RCE attacks (932150 PL1) (Walter Hop) [#2728]
  • feat: extend rule to detect C99 and printf utilities (932150 PL1) (Karel Knibbe) [#2569]
  • feat: extend rule to detect ksh in *nix RCE attacks (932150 PL1) (Andrew Howe) [#2721]
  • feat: extend rule to detect RCE attacks using compression utilities (932150 PL1) (Andrew Howe) [#2712]
  • feat: extend rule to detect RCEs using Base64 evasions (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590]
  • feat: extend rule to detect RCEs using evasions quotes with python... commands (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590]
  • feat: new rule to detect generalised *nix RCE (932150 PL2) (Karel Knibbe) [#2583]
  • feat: replace *nix command injection rules 932150 PL1, 932151 PL1 with new rules for commands of less than 4 characters and commands of more than 4 characters in length respectively (932250 PL1, 932260 PL1) (Felipe Zipitría, Max Leske) [#3092]
  • fix: avoid FP on 'time' and 'ping' keywords (932150 PL1) (Walter Hop) [#2457]
  • feat: extend rule to detect RCE better via automation (932160 PL1) (Felipe Zipitría) [#2662]
  • fix: remove unnecessary prefixes from paths in unix-shell.data (932160 PL1) (Felipe Zipitría) [#2662]
  • feat: extend rule to detect expre in unix-shell list (932161 PL2) (Felipe Zipitría) [#2667]
  • feat: new rules to detect *nix commands in user-agent and referer request headers (932161 PL2, 932237 PL3) (Franziska Bühler, Max Leske, Shivam Bathla) [#3132]
  • feat: new rule detecting alias builtin (932175 PL1) (Felipe Zipitría) [#2796]
  • feat: use new automation to generate restricted-uploads.data from restricted-files.data (932180 PL1) (Max Leske) [#3282]
  • fix: use correct anomaly scoring variable (932180 PL1, 932200 PL2) (Jozef Sudolský) [#2324]
  • feat: detect RCE attempts with uninitialized shell vars (932200 PL2) (Andrea Menin) [#2151]
  • feat: extend rule to detect RCE in user-agent request header (932200 PL2) (Franziska Bühler, Shivam Bathla) [#3108]
  • feat: reduce FPs by removing User-Agent from individual target list (932200 PL2) (Max Leske) [#3489]
  • fix: generate correct log entries when using 'MATCHED_VAR_NAME' in conjunction with chain rules (932200 PL2, 933120 PL1, 933151 PL2) (Jozef Sudolský) [#2347]
  • fix: new rules to handle referer header and fix false positive (932205 PL2, 932206 PL2) (Max Leske) [#3300]
  • feat: extend rule to detect quote evasion (932210 PL2) (Max Leske) [#3120]
  • feat: extend rule to detect sh (932210 PL2) (Franziska Bühler) [#2816]
  • feat: extend rule to detect SQLi via automation of keyword list updates (932210 PL2) (Felipe Zipitría) [#2801]
  • feat: new rule to detect SQLite system command injection (932210 PL2) (flo405, Andrea Menin, Christian Folini) [#2032]
  • fix: add word boundaries for sh in RCE rules (932230 PL1, 932250 PL1) (Max Leske) [#3186]
  • fix: avoid FPs in RCE detections against words 'environment' and 'performance' (932230 PL1, 932235 PL1, 932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (Esad Cetiner) [#3477]
  • fix: handle false positive against sh in *nix command injection attacks (932230 PL1, 932250 PL1, 932236 PL2) (Max Leske) [#3186]
  • feat: add unix commands pyversions and py3versions (932235 PL1, 932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (Jitendra Patro) [#3465]
  • feat: replace *-with-params.ra files with suffix replacements (932235 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Max Leske) [#3331]
  • fix: prevent FP on keywords 'more' and 'time' in Unix RCE (932235 PL1) (Franziska Bühler) [#3488]
  • fix: reduce FPs at the start of strings by excluding 'as' and 'at' (932236 PL2) (Franziska Bühler, Max Leske, Andrew Howe) [#3531
  • fix: prevent FPs against names due to "axel" and "perl" (932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (@superlgn) [#3492]
  • fix: add whitespace after keywords mail and task to solve false positives (932236 PL2) (Franziska Bühler) [#3274]
  • fix: align unix-shell-upto3* files (932236 PL2) (Max Leske) [#3128]
  • fix: handle false positives with word "settings" (932236 PL2, 932237 PL3, 932239 PL2) (Esad Cetiner) [#3394]
  • fix: prevent FP on keywords more and time in Unix RCE (932236 PL2) (Franziska Bühler) [#3487]
  • fix: solved false positives with creation of word boundaries for commonly used words used in *nix RCE rules (932236 PL2) (Max Leske) [#3187]
  • fix: use correct anomaly scoring variable (932236 PL2) (Ervin Hegedus) [#3112]
  • fix: improve rule by matching non-word-boundary of commands with options (932237 PL3) (Max Leske) [#3425]
  • feat: new rule to detect *nix commands in user-agent and referer request headers (932239 PL2) (Franziska Bühler, Shivam Bathla) [#3104, #3318]
  • fix: reduce FPs in generic quote evasion detection (932240 PL2) (Max Leske) [#3494]
  • fix: remove ARGS_NAME from target variables in (932240 PL2) (Andrea Menin) [#2960]
  • fix: use correct anomaly scoring variables and paranoia level tags across for rule (932240 PL2) (Ervin Hegedus) [#2963]
  • fix: false positives by requiring specific tokens to follow commands (932250 PL1) (Max Leske) [#3186]
  • fix: Added missing target name to logdata (932260 PL1, 932240 PL2) (Ervin Hegedus) [#3409]
  • fix: remove chained rule (932260 PL1) (Max Leske) [#3521]
  • feat: new rules to detect email protocol attacks (932300 PL2, 932310 PL2, 932320 PL2) (Felipe Zipitría) [#2322]
  • fix: remove additional range expression that cause parsing errors for RE2 (932311 PL3) (Felipe Zipitría) [#2484]
  • feat: new rules to detect detecting *nix shell history invocations (932330 PL1, 932331 PL3) (Karel Knibbe) [#2577]
  • fix: remove 'time' prefix from Windows RCE detection (932370 PL1, 932380 PL1) (Max Leske) [#3528]
  • feat: extend rule to detect additional file extensions via list of executable PHP files (933110) (Jan Gora / terjanq) [#2585]
  • feat: extend data file to add missing PHP config directives (php-config-directives.data, 933120 PL1) (Max Leske) [#3028]
  • feat: extend rule to detect additional sensitive PHP directives (933120 PL1) (Gwendal Le Coguic / gwen001) [#2561]
  • feat: extend rule to detect PHP config directives via automation of keyword list updates (933120 PL1) (Felipe Zipitría) [#2696]
  • feat: extend rule to detect sensitive PHP variables better (933130 PL1) (Felipe Zipitría) [#2668]
  • tests: clean test definitions and provide proper descriptions (933150 PL1, 933160 PL1) (Andrea Menin, Matteo Pace, Max Leske) [#3462]
  • feat: extend data file to include additional php function names (php-function-names-933151.data, 933151 PL2) (Jitendra Patro) [#3212]
  • feat: automate generation of PHP function dictionaries, revisited detection (933160 PL1, 933161 PL3, 933150 PL1, 933151 PL2) (Juan-Pablo Tosso, Christian Folini, Matteo Pace) [#3273]
  • feat: extend rule to detect document.domain XSS (933160 PL1, 941180 PL1) (Franziska Bühler, 0SPwn) [#2567]
  • feat: extend rule to detect evasions in PHP contexts with " (933160 PL1) (Somdev Sangwan / s0md3v) [#2596]
  • feat: rearrange keywords (933160 PL1, 941390 PL1) (Karel Knibbe) [#2905]
  • fix: handle false positive by fixing whitespace matching after PHP command (933160 PL1) (Max Leske) [#3432]
  • fix: solve ReDoS issue in rule (933161 PL3) (Andrea Menin) [#2302]
  • feat: extend rule to detect bzip2 wrapper in PHP injection attacks (933200 PL1) (Andrew Howe) [#2723]
  • feat: extend rule to detect ssh2.\* wrappers in PHP injection attacks (933200 PL1) (Andrew Howe) [#2731]
  • fix: avoid false positive when cookie contains slash (933210 PL1) (Ervin Hegedus) [#1996]
  • fix: close PHP whitespace bypass (933210 PL1) (Walter Hop) [#2033]
  • fix: prevent excessive backtracking (933210 PL1) (Andrea Menin) [#2214]
  • feat: new rule to detect PHP injection attacks without terminating semi-colon (933211 PL3) (Karel Knibbe) [#2581]
  • feat: extended rule to detect Node.js injection attacks using require and child_process (934100 PL1, 932101 PL2) (Andrea Menin) [#2893]
  • feat: extend rule to detect Node.js RCE better (934100 PL1) (rektor0) [#2578]
  • feat: improve transformation pipeline to detect Base64-encoded evasions (934100 PL1) (Andrew Howe) [#3203]
  • feat: new rule to detect Node.js RCE detection (934101 PL2) (rektor0) [#2578]
  • fix: improve js rule transformation pipelines (934101 PL1, 934130 PL1, 934169 PL1, 934131 PL2) (Andrew Howe) [#3312]
  • feat: extend data file to include additional indicators (ssrf.data, 934110 PL1) (Jitendra Patro) [#3213]
  • feat: extend rule to detect SSRF better (934110 PL1) (Felipe Zipitría) [#2660]
  • feat: new rules to detect common IP-based SSRF targets (934110 PL1, 934120 PL2) (Felipe Zipitría) [#2259]
  • feat: extend rule to detect additional schema and IP evasion techniques in SSRF (934120 PL2) (Felipe Zipitría, Max Leske) [#2599]
  • feat: extend rule to detect octal address of AWS metadata endpoints (934120 PL2) (Karel Knibbe) [#2555]
  • feat: extend rule to detect SSRF better by inspecting targets beyond just ARGS (934120 PL2) (Karel Knibbe) [#2555]
  • feat: new rules to detect JavaScript prototype pollution (934130 PL1, 934131 PL2) (Walter Hop) [#2411]
  • fix: remove base64 transformation due to limited effectiveness and to align behavior across ModSecurity v2.x and libModSecurity v3.x engines (934130 PL1) (Andrea Menin) [#3378]
  • fix: remove overly specific rule with limited benefits and lack of cross-engine compatibility (934131 PL2) (Andrea Menin) [#3378]
  • feat: new rules to detect detection of Perl and Ruby RCE signatures in a generic way (934140 PL2, 934150 PL1) (Karel Knibbe) [#2587]
  • feat: new rule to detect Node DoS attack via expressions resolving to true (934160 PL1) (Karel Knibbe) [#2917]
  • feat: new rule for PHP supporting data: scheme without using // before the content-type (934170 PL1) (Felipe Zipitría) [#3018]
  • feat: extend rules to detect path based XSS via new target REQUEST_FILENAME in 941xxx rules (Walter Hop) [#2894]
  • feat: run libinjection XSS detector on request filename in PL2 (941101 PL2) (Andrew Howe) [#2208]
  • feat: move rule from PL1 to PL2 (941120 PL2) (Christian Folini) [#2306]
  • fix: avoid false positive by adding character limit (941120 PL2) (Christian Folini) [#1872]
  • fix: avoid FP in Base64 content (941120 PL1) (Jozef Sudolský) [#2226]
  • fix: remove unnecessary character escape (941120 PL2) (Andrew Howe) [#2805]
  • fix: avoid FP in XMLNLS (941130 PL1) (Walter Hop) [#2192]
  • fix: solve ReDoS issue in rule (941140 PL1) (Andrea Menin) [#2050]
  • feat: detect 'dialog' tag in XSS no-script payloads (941160 PL1) (Jitendra Patro) [#3473]
  • feat: disassemble complex regex fully (941160 PL1) (Felipe Zipitría) [#2701]
  • fix: make regular expression more restrictive (941170 PL1) (Andrea Menin) [#2292]
  • fix: new rule at PL2 to move the detection of '-->' out of PL1 due to false positives (941181 PL2) (Paul Beckett) [#2082]
  • feat: disassemble complex regex (941210 PL1) (Felipe Zipitría) [#3262]
  • feat: extend rule to detect XSS evasions using carriage return (\r) and new line (\n) characters (941210 PL1) (oct0pus7) [#2576]
  • feat: disassemble complex regex (941220 PL1) (Felipe Zipitría) [#3263]
  • fix: correct numerical values used for HTML entity evasion detection (941220 PL1) (Jitendra Patro) [#3479]
  • fix: avoid false positive with Russian characters (941310 PL1) (Max Leske) [#2107]
  • feat: improve detection by adding missing javascript prompt and confirm methods (941390 PL1) (Jitendra Patro) [#3395]
  • feat: new rule to detect JavaScript methods (941390 PL1) (Franziska Bühler) [#2702]
  • feat: extend rule and moved rule from PL3 to PL2 (942101 PL2) (Matteo Pace) [#2922]
  • feat: extended rule to detect common SQL injection probing in path segments (942110 PL2) (Andrea Menin) [#2914]
  • feat: prevent FPs by removing rule (942110 PL2) (Max Leske) [#3505]
  • feat: add target REQUEST_FILENAME to rule to detect path-based SQLi attacks (942120 PL2) (Andrew Howe) [#3057]
  • feat: extend rule to detect use of collate in SQLite injection attacks (942120 PL2) (Jan Gora / terjanq) [#2584]
  • fix: extend rule to detect more SQLi (942120 PL2) (Karel Knibbe) [#2556]
  • fix: resolve issue with regular expression and improve SQLi detection by detecting 'not between' (942120 PL2) (NiceYouKnow, Max Leske, Franziska Bühler) [#2115]
  • fix: update SQL reserved words (942120 PL2) (Felipe Zipitría) [#2798]
  • feat: extend rule to detect glob in list of SQLi tautologies (942130 PL2) (Franziska Bühler) [#2729]
  • fix: remove unneeded TX variables (942130 PL2, 942131 PL2, 942521 PL3) (Andrea Menin) [#3293]
  • feat: detect more error-based SQL injections (942150 PL2, 951230 PL1) (Jozef Sudolský) [#2429]
  • feat: extend rule to detect more SQL function names (942150 PL2) (Karel Knibbe) [#2895]
  • feat: extend rules to detect more SQL error messages and functions (942151 PL1, 942152 PL1, 951220 PL1, 951230 PL1, 951240 PL1) (Jitendra Patros) [#3336]
  • feat: extend rule to detect additional SQL function signatures (942151 PL1) (Karel Knibbe) [#2570]
  • feat: extend rule to detect endswith, startswith, unistr, pg_client_encoding and various JSON SQL functions (942151 PL1) (Franziska Bühler) [#2874]
  • feat: extend rule to detect various JSON functions (942151 PL1) (Franziska Bühler) [#3041]
  • fix: avoid FP in SQL function names by splitting between PL1/PL2 (942151 PL1, 942150 PL2) (Jozef Sudolský) [#2480]
  • feat: extend rule to detect sql_compileoption_get in SQLite injection attacks (942152 PL1) (Andrew Howe) [#2718]
  • fix: extend blind SQLi detection (942160 PL1) (Franziska Bühler, Christian Folini) [#1956]
  • feat: new regex-assembly file for rule (942170 PL1) (Andrea Menin) [#2939]
  • feat: extend rule to detect SQL injection authentication bypasses (942180 PL2) (rekter0) [#2575]
  • feat: improve SQLi detection with spaces (942190 PL1, 942390 PL2) (Manuel Spartan, Max Leske) [#2436]
  • fix: avoid FP in SQLi by adding word boundary checks (942190 PL1) (Jozef Sudolský) [#2078]
  • fix: avoid FP in SQLi with keyword 'union' (942190 PL1) (Franziska Bühler) [#2058]
  • fix: prevent comment-based SQL evasion (942190 PL1) (Andrea Menin) [#1910]
  • fix: resolve bug in regular expression and add test case (942190 PL1) (NiceYouKnow, Max Leske, Franziska Bühler) [#2112]
  • feat: disassemble complex regex (942200 PL2) (Franziska Bühler, Max Leske) [#2932]
  • feat: extend rule to detect SQLi in user-agent and referer request headers (942200 PL2, 942370 PL2) (Franziska Bühler, Shivam Bathla) [#3106]
  • feat: improve regex-assembly file for rule (942210 PL2) (Andrew Howe) [#2945]
  • fix: detect the correct magic numbers that crash old PHP versions (942220 PL1) (Kyzentun, Walter Hop) [#2010]
  • fix: avoid false positive with 'case' (942230 PL1) (Franziska Bühler) [#2035]
  • fix: detect SQL false negative (942230 PL1) (Max Leske) [#2348]
  • feat: disassemble complex regex (942240 PL1) (Franziska Bühler, Max Leske) [#2938]
  • fix: avoid FP in 'having' SQLi (942251 PL3) (Felipe Zipitría) [#2248]
  • feat: new regex-assembly file for rule (942280 PL1) (Andrea Menin) [#2933]
  • feat: extend rule to detect additional MongoDB operators via NoSQL commands list (942290 PL1) (rekter0) [#2579]
  • feat: new regex-assembly file for rule (942290 PL1) (Andrea Menin) [#2942]
  • feat: improve regex-assembly format (942300 PL2) (Felipe Zipitría) [#3296]
  • fix: avoid false positive by adding word boundary checks (942300 PL2) (Franziska Bühler) [#2099]
  • fix: remove unnecessary part of regular expression (942310 PL2) (NiceYouKnow) [#2189]
  • feat: extend rule to detect ::int and ::bool SQL data conversions (942320 PL1) (Franziska Bühler) [#2872]
  • feat: extend rule to detect lo_get and ::text via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Walter Hop, Shivam Bathla) [#2925]
  • feat: extend rule to detect lo_import and div via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Shivam Bathla) [#2916]
  • feat: extend rule to detect more PostgreSQL data types (942320 PL2) (Franziska Bühler, Shivam Bathla) [#3019]
  • fix: add word boundaries to keywords to solve false positives (942330 PL2) (Franziska Bühler) [#3207]
  • feat: extend rule to detect SQL injection better (942340 PL2) (Karel Knibbe) [#2557]
  • fix: extend rule to detect more SQLi (942340 PL2) (Jan Gora / terjanq) [#2559]
  • feat: detect SQLi using the 'drop' keyword (942350 PL1, 942360 PL1, 942200 PL2, 942362 PL2) (Jozef Sudolský) [#2218]
  • fix: solve ReDoS issue in rule (942350 PL1) (Andrea Menin) [#2300]
  • feat: new regex-assembly file for rule (942370 PL2) (Christoph Hansen, Max Leske) [#2954]
  • feat: detect SQLi with 'if exists' (942380 PL2) (NiceYouKnow) [#2121]
  • feat: optimize regex (942400 PL2) (Jozef Sudolský) [#2323]
  • feat: disassemble complex chained regex (942440 PL2) (Felipe Zipitría) [#3295]
  • feat: optimize regex (942440 PL2) (Felipe Zipitría) [#2459]
  • fix: adapt rule to work in all ModSecurity versions (942440 PL2) (Andrew Howe) [#2201]
  • fix: avoid FP in JWT tokens (942440 PL2) (Andrea Menin) [#2460]
  • fix: reformat rules to follow project guidelines (942440 PL2, 949959, 949159, 959059, 959159) (Ervin Hegedus) [#3206]
  • fix: solve errors in regex pattern (942440 PL2) (Andrea Menin) [#3290]
  • fix: prevent FPs for click identifiers in query string by placing arg specific rule exclusions in rule set (942441, 942442) (Max Leske) [#3500]
  • feat: extend rules to detect current_user and overlay (942470 PL1, 942480 PL2) (Franziska Bühler) [#2875]
  • feat: extended rule to detect detect SQL injection attacks using headers (942480 PL2) (Paul Beckett) [#2911]
  • feat: extend rule to detect newlines in overlay (942480 PL2) (Franziska Bühler, Shivam Bathla) [#3040]
  • fix: detect MySQL optimizer hints (942500 PL1) (Max Leske) [#3431]
  • feat: new rules to detect SQL authentication bypasses (942520 PL2, 942521 PL2, 942522 PL2) (Jan Gora / terjanq) [#2603]
  • feat: extend rule to detect SQLi in user-agent and referer request headers (942521 PL2) (Franziska Bühler, Shivam Bathla) [#3107]
  • fix: replace 'MATCHED_VAR' in 'logdata' argument with stable variable (942521 PL2, 943110 PL1, 943120 PL1) (Ervin Hegedus) [#3543]
  • feat: new rule to detect '; in SQLi (942530 PL3) (Franziska Bühler) [#2808]
  • feat: new rule to detect authentication bypass via SQL injection that abuses semi-colons to end the SQL query (942540 PL1) (Karel Knibbe) [#2904]
  • fix: update scoring variable (942540 PL2) (Walter Hop) [#2970]
  • feat: new rule to detect MySQL scientific notation attacks (942560 PL1) (Jitendra Patro) [#3316]
  • fix: remove unnessecary 'lowercase' transformation from chain rule (944120 PL1) (Federico G. Schwindt) [#1852]
  • feat: extend rule to detect JAVA exploits better via java-classes.data file (944130 PL1) (Dennis Brown) [#3048]
  • feat: new rule to deny uploading .jsp and .jspx files (944140 PL1) (Walter Hop) [#2456]
  • feat: new rule to detect Spring4Shell (944260 PL2) (Christian Folini, Andrea Menin) [#2464]
  • fix: update administrative rule ids for consistent operation (950011, 950012, 950018) (Ervin Hegedus) [#3339]
  • feat: improve rule file 951xxx via the use of skipAfter instead of variable TX:sql_error_match (Jozef Sudolský) [#2754]
  • feat: extend data file to include additional SQL error messages (sql-errors.data, 951100 PL1) (Jitendra Patro) [#3214]
  • fix: avoid FP in MySQL data leakage rule (951230 PL1) (Jozef Sudolský) [#2490]
  • fix: avoid FP in PostgreSQL error messages (951240 PL1) (Jozef Sudolský, Franziska Bühler) [#1870, #2313]
  • fix: handle false positive in SQL error leakage detection (951240 PL1) (Jozef Sudolský) [#3169]
  • fix: avoid FP in Sybase error message (951260 PL1) (Jozef Sudolský) [#2307]
  • feat: extend rule to detect PHP errors better via new automation (953100 PL1) (Felipe Zipitría) [#2663]
  • feat: new rules to detect PHP error leakages with high false positive rates at paranoia level 2 instead of 1 (953100 PL1, 953101 PL2) (Andrea Menin) [#3119]
  • fix: solve false positive by shifting "Field cannot be empty" to PL2 (953100 PL1, 953101 PL2) (Esad Cetiner) [#3407]
  • fix: ignore case of PHP tag in response text (953210 PL1) (Felipe Zipitría) [#2664]
  • feat: extend rule to detect IIS errors via automation of pattern updates (954120 PL1) (Felipe Zipitría) [#2810]
  • fix: log response body to audit log only when full rule chain matches (954130 PL1) (Franziska Bühler) [#2202]
  • feat: added new webshells and tests (955100 PL1) (Jozef Sudolský) [#3405]
  • feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jitendra Patro) [#3215]
  • feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jozef Sudolský) [#2687]
  • fix: make regular expression more strict to reduce noise in logs (955120 PL1) (Jozef Sudolský) [#2315]
  • fix: use correct variable in chained condition for correlation rules (980120 PL0, 980150 PL0) (Simon Studer) [#1898]

Changes without direct rule impact:

  • chore: improve changelog-pr workflow (Max Leske) [#3416]
  • chore: generate changelog entries with leading space (Max Leske) [#3550]
  • chore: move regexp-assembly to separate directory (Felipe Zipitría) [#2327]
  • chore: parse changelog PR author names from contributors (Max Leske) [#3408]
  • docs: add a note to a commented rule about unsupported action in v3 (Ervin Hegedus) [#2098]
  • docs: add documentation on blocking of archive file extensions that are not blocked by default (Andrew Howe) [#2758]
  • docs: add example exclusion rule for monitoring agents (Andrea Menin) [#2037]
  • docs: add file sponsors.md (Christian Folini) [#2174]
  • docs: add link to run tests (Ervin Hegedus) [#3438]
  • docs: add link to slack invitation to README (Christian Folini) [#2122]
  • docs: add missing PL tags to all rules (Ervin Hegedus) [#1882]
  • docs: add note of lack of rule range support in ModSecv3 (Andrew Howe) [#3303]
  • docs: add to CONTRIBUTING.MD chain rule commenting guidance (Ervin Hegedus) [#3196]
  • docs: align actions in right order (Ervin Hegedus) [#2237]
  • docs: bring CONTRIBUTING.MD in line with documentation (Andrew Howe) [#2558]
  • docs: change documentation git module link to https (İlteriş Eroğlu) [#2461]
  • docs: change-version: fix typo (Deepshikha Sinha) [#2430]
  • docs: contributing.md: add more information for new developers (Andrew Howe) [#2487]
  • docs: crs-setup.conf: add note to allowed_request_content_type settings (Ervin Hegedus) [#2164]
  • docs: enhance installation process for Nginx / IIS (Jozef Sudolský) [#1988]
  • docs: explained to leave audit log settings alone in CONTRIBUTING.md (Christian Folini) [#3090]
  • docs: fix capec id for crawlers (Jozef Sudolský) [#2258]
  • docs: fix changed Trustwave URLs (Elia Pinto, henkworks, Felipe Zipitría) [#2213, #2364, #2204]
  • docs: fix docs for Apache (Jozef Sudolský) [#2238]
  • docs: fix donate URL (Felipe Zipitría) [#2132]
  • docs: fixed minor typo in comment in file rules/restricted-files.data (Homesteady) [#3305]
  • docs: fix NextCloud example comments (Joost de Keijzer) [#2282]
  • docs: fix ruleid typos in comments (Paul Beckett) [#2263]
  • docs: fix stricter sibling comment for SQL Injection () (Stephen Sigwart) [#1913]
  • docs: fix typo in initialization(Elia Pinto) [#2366]
  • docs: fix typo in sampling mode description (Christian Folini) [#2090]
  • docs: fix typos across the entire project as reported by codespell (Ervin Hegedus) [#2519]
  • docs: fix typos in README (Priyam Patel) [#2494]
  • docs: improve changelog organization (Christian Folini) [#3536]
  • docs: missing space after comment mark (Ervin Hegedus) [#2097]
  • docs: update OWASP Slack URL (Jozef Sudolský) [#2056]
  • docs: remove 'log' from rules and let SecDefaultAction decide what to do (Federico G. Schwindt) [#1876]
  • docs: replace terms Blacklist and Whitelist with Deny list and Allow list (Paul Beckett) [#2137]
  • docs: reword comment (900300 config) (Christian Folini) [#3417]
  • docs: reword contributing.md (Christian Folini) [#2077]
  • docs: sync CONTRIBUTING.MD with HTML version (Andrew Howe) [#3301]
  • docs: transferred CHANGES to CHANGES.md (Felipe Zipitría) [#2606]
  • docs: update and tidy CHANGES.md file for v4.0 release (Andrew Howe, Max Leske) [#3540]
  • docs: update CONTRIBUTORS.md for new release (Ervin Hegedus) [#3340]
  • docs: update description of rule 920350 (Christian Folini) [#1952]
  • docs: update documentation hyperlinks on rules (Dexter Chang) [#3232]
  • docs: update links and format of known bugs (Felipe Zipitría) [#2186]
  • docs: update OWASP vulnerability URLs (Walter Hop) [#2467]
  • docs: update policy to include signed releases (Felipe Zipitría) [#2465]
  • docs: update README for Nginx (vijayasija99) [#2158]
  • docs: update SPONSORS.md for new release (Christian Folini) [#3341]
  • docs: remove sponsor F5 / VMWare (Christian Folini) [#3555]
  • feat: add consistent rule references to initialization rule comments (Andrew Howe) [#2813]
  • feat: add editorconfig file to keep spacing in good shape (Felipe Zipitría) [#2407]
  • feat: add timezone variable to docker-compose (Felipe Zipitría) [#1995]
  • fix: indentations (Ervin Hegedus) [#1851]
  • fix: link for docs/OWASP-CRS-Documentation submodule (Ervin Hegedus) [#1885]
  • fix: multiple fixes when generating changelog PR (Max Leske) [#3418], [#3420], [#3422], [#3424] [#3429]
  • fix: nginx logging in docker-compose (Felipe Zipitría) [#2036]
  • fix: remove all whitespace at EOL (Felipe Zipitría) [#2405, #2406]
  • fix: remove full stop from end of log message (920181 PL1) (Federico G. Schwindt) [#2011]
  • fix: yamllint (Felipe Zipitría) [#2387]
  • tests: add a Chrome and Firefox version 100 UA (Mike Taylor) [#2325]
  • tests: add common and uniform http headers to tests (Felipe Zipitría) [#2362]
  • tests: additional tests for use in PHP wrappers in PHP injection attacks (rule 933200 PL1) (Andrew Howe) [#2723]
  • tests: add positive test 920100-16 for rule 920100 PL1 (Andrew Howe) [#2952]
  • tests: add positive test 920190-3 for rule 920190 PL1 (Andrew Howe) [#2956]
  • tests: add positive test 920250-4 for rule 920250 PL1 (Andrew Howe) [#2971]
  • tests: add positive test 920340-3 for rule 920340 PL1 (Andrew Howe) [#2972]
  • tests: add positive test 920470-18 for rule 920470 PL1 (Andrew Howe) [#3058]
  • tests: add positive test 921120-4 for rule 921120 PL1 (Andrew Howe) [#3083]
  • tests: add positive test 921150-2 for rule 921150 PL1 (Andrew Howe) [#3158]
  • tests: add positive test 932160-8 for rule 932160 PL1 (Christian Folini) [#2997]
  • tests: add test against FP when using urlDecode for 932140 (Max Leske) [#2191]
  • tests: add test for rule 941130 PL1 (Paul Beckett) [#2923]
  • tests: add test for rule 941140 PL1 (Franziska Bühler) [#2995]
  • tests: add test for rule 941170 PL1 (Franziska Bühler) [#2994]
  • tests: add test for rule 941200 PL1 (Franziska Bühler) [#2993]
  • tests: add test for rule 941240 PL1 (Franziska Bühler) [#2975]
  • tests: add test for rule 941310 PL1 (Franziska Bühler) [#2974]
  • tests: add test for rule 941400 PL1 (Franziska Bühler) [#2969]
  • tests: add test for rule 942170 PL1 (Franziska Bühler) [#2968]
  • tests: add test for rule 942270 PL1 (Franziska Bühler) [#2967]
  • tests: add test for rule 942350 PL1 (Franziska Bühler) [#2965]
  • tests: add test for rule 942500 PL1 (Franziska Bühler) [#2964]
  • tests: add test for rule 942520 PL2 (Franziska Bühler) [#2706]
  • tests: add test for rule 943100 PL1 (Franziska Bühler) [#2962]
  • tests: add test for sql_compileoption_used detection (rule 942151 PL1) (Andrew Howe) [#2714]
  • tests: add tests for 920120 (Max Leske) [#2369]
  • tests: add tests for 920121, 932150, 932160, 932120, 932130, 921151 (Paul Beckett) [#2264, #2275, #2276, #2272, #2273, #2270]
  • tests: add tests for 920275, 913101, 913102, 920410, 920171, 932190, 932110, 932105 (Ervin Hegedus) [#2021, #2253, #2257, #2294, #2295, #2285, #2286, #2287]
  • tests: add tests for 920341 (Juan-Pablo Tosso) [#2266]
  • tests: add tests for 921180 (Juan-Pablo Tosso, Christian Folini) [#2308]
  • tests: add tests for 932170, 932171, 932106, 932180, 942170, 942251, 942460 (Franziska Bühler) [#2252, #2254, #2255, #2280, #2283, #2284, #2269, #2268]
  • tests: add tests for 933111, 933190, 933200 (NiceYouKnow) [#2281]
  • tests: add tests for FP 921110 request smuggling (Franziska Bühler) [#2102]
  • tests: add tests for rules 942521 and 942522 PL2 (Franziska Bühler) [#2708]
  • tests: add test to prove we cover complex shell variables usage in rule 932230 (Felipe Zipitría) [#2966]
  • tests: clean up quoting (Max Leske) [#2370]
  • tests: deprecate ftw in favor of go-ftw (Felipe Zipitría) [#3076]
  • tests: detection of *nix RCE using multiple variable assignments (932200 PL2) (Christian Folini) [#2899]
  • tests: enable UTF8 encoding validation (Felipe Zipitría) [#2992]
  • tests: extend coverage for rule 932120 (Felipe Zipitría) [#2996]
  • tests: extend coverage for rule 932200 (Felipe Zipitría) [#2950]
  • tests: extend coverage for rule 932220 (Felipe Zipitría) [#3063]
  • tests: fix 933160-21 and 942500-1 due to invalid URI (Takaya Saeki) [#2168]
  • tests: fix duplicated tests for rule 934130 PL1 (Walter Hop) [#2918]
  • tests: fixed end boundary in 932180-2 (Ervin Hegedus) [#2377]
  • tests: fixed URLs tests for rule 932130 PL1 (Matteo Pace) [#2880]
  • tests: fixed URLs tests for rules 934130 PL1 and 934131 PL2 (Matteo Pace) [#3133]
  • tests: fix logging problem for Nginx (vijayasija99) [#2157]
  • tests: fix Python version for tests (Max Leske) [#2247]
  • tests: fix requirements version (nobletrout) [#2004]
  • tests: fix tests lacking charset (Felipe Zipitría) [#1932]
  • tests: fix tests on rule 932200 to detect FPs (Max Leske) [#3309]
  • tests: fix test titles (bxlxx.wu, Ervin Hegedus) [#2504, #2497]
  • tests: fix test using old syntax and add go-ftw check (Felipe Zipitría) [#2715]
  • tests: improve test setup, rewrite of log checker (Max Leske) [#2363]
  • tests: increase tests (920280-3, 920430-3, 920430-9) compatibility with other proxies (Matteo Pace) [#3134]
  • tests: normalized keys in test files (Ervin Hegedus) [#2493]
  • tests: rearranged tests for rule 920340 (Christian Folini) [#3089]
  • tests: rearranged tests for rule 920400 PL1 (Matteo Pace) [#2877]
  • tests: remove Accept-Charset from test files (Felipe Zipitría) [#2781]
  • tests: remove broken test 932100-3 (Felipe Zipitría) [#2165]
  • tests: use only valid YAML (Felipe Zipitría) [#2080]
  • tests: use same user-agent (Felipe Zipitría) [#2393]

Functionality that has been moved to plugins for this release

  • feat: add Google OAuth 2 exclusion plugin (Jozef Sudolský) [#2388]
  • feat: add phpBB exclusion rules (now a plugin) (Jozef Sudolský) [#1893]
  • feat: add phpMyAdmin exclusion rules (now a plugin) (Jozef Sudolský) [#1951]
  • feat: move IP reputation rules to plugins (Simon Studer) [#2482]
  • feat: move exclusion profiles and DOS rules to plugins (Andrew Howe) [#2469]
  • feat: ownCloud: Fix rule 9003001 to match both DAV and WebDAV (now a plugin) (Abu Dawud) [#2130]
  • fix: nextcloud: fix FPs (now a plugin) (kam821, Jozef Sudolský, ntimo, Felipe Zipitría, pyllyukko) [#1840, #1843, #1847, #1946]
  • fix: phpBB: Fix FPs (now a plugin) (Jozef Sudolský) [#2057, #2180, #2299, #2343]
  • fix: phpMyAdmin: Fix FPs (now a plugin) (Jozef Sudolský) [#2172, #2249, #2321, #2351]
  • fix: replace ARGS by ARGS_GET in rules in phase:1 (various rule exclusion rules) (Ervin Hegedus) [#2063]
  • fix: wordPress: fix FPs (now a plugin) (Jozef Sudolský) [#1899, #1971, #2320]
  • fix: wordPress: fix FPs and improve performance (now a plugin) (Walter Hop) [#1997, #2311]
  • fix: wordPress: fix FPs in Site Health page (now a plugin) (Robert de Boer, Fregf, Walter Hop) [#1895, #1920]
  • fix: xenForo: fix FPs (now a plugin) (Walter Hop, ThanhPT) [#1844, #1865, #1894, #1998, #2421]

Contributors

superlgn and hoexter
Assets 4