The OWASP Core Rule Set (CRS) has released version 4.15.0, introducing several enhancements and new features aimed at improving the detection of web application vulnerabilities. Key updates include the addition of User-Agent and Referer to the detection targets, an update to the `java-classes.data` file, and mechanisms to block access to database YAML files.

In terms of bug fixes and optimizations, the release addresses false positives associated with the `title_strip_tags` rule, removes the deprecated self command, and eliminates the rc shell to further reduce false positives. Additionally, unnecessary character classes have been removed, and word endings have been incorporated into the Unix command for sendmail. Other notable changes include adjustments to session tokens and cookies to mitigate false positives, and modifications to various rules from capture and double pmf to regex for better accuracy.

Summary of Changes in OWASP CRS v4.15.0

New Features and Detections

- User-Agent and Referer Added: Enhanced targeting for rules (PR #4115).
- Updated `java-classes.data`: Improved detection capabilities (PR #4080).
- Database YAML Blocking: New rule to block access to sensitive database files (PR #4130).

Bug Fixes and Enhancements

- False Positive Fixes: Adjustments to the `title_strip_tags` rule (PR #4105).
- Removal of Deprecated Commands: Eliminated self command and rc shell to reduce false positives (PR #4111, PR #4125).
- Streamlined Character Classes: Removed unnecessary character classes for better performance (PR #4135).
- Improved Session Token/Cookie Handling: Addressed false positives with session management (PR #4142).
- Regex Updates: Changes made to specific rules for better precision (PR #4139, PR #4138).
- Cookie Exclusions Updated: Removed exclusions for deprecated `__utm` cookies (PR #4151).

Conclusion

With these updates, OWASP CRS v4.15.0 enhances the security posture of web applications by refining detection mechanics and addressing prior limitations. Users are encouraged to review the full changelog for a comprehensive understanding of all changes and improvements made in this release. For ongoing updates and enhancements, it is advisable to keep abreast of future releases from the OWASP CRS team

OWASP CRS 4.15.0 released

A new version of the OWASP CRS for ModSecurity or similar web application firewalls has come out with improvements and new ways to detect issues, including adding User-Agent and Referer to the targets, updating java-classes.data, and adding ways to block database YAML files. Other changes include fixing false positives with title_strip_tags, removing the self command, getting rid of the rc shell, eliminating unnecessary character classes, and adding word endings to the Unix command sendmail. You can find the full list of changes in the coreruleset/coreruleset release. Additional modifications involve addressing false positives with title_strip_tags, eliminating the self command, removing the rc shell, discarding unnecessary character classes, and incorporating word endings into the Unix command sendmail.

OWASP CRS 4.15.0 released @ Linux Compatible