The OWASP Core Rule Set (CRS) has recently been updated to version 4.13.0, providing a robust framework for detecting and preventing various cyberattacks on web applications. This release focuses on enhancing security measures while reducing the likelihood of false alerts. Key updates include a fix for the double URL decode vulnerability, the introduction of new detection features, and the removal of rule 952100, which previously aimed to identify Java Source Code Leakage.
Notable improvements in this version include enhancements to the prototype pollution payload, modifications to prevent false positives related to email addresses, and the resolution of inconsistencies in tagging across files. New features consist of blocking headers associated with CVE-2025-29927 (Next.js), the addition of new cross-site scripting (XSS) payloads, and the inclusion of potentially harmful file extensions in the restricted extensions list. Furthermore, more default session cookie names have been added to bolster security against automated attacks.
The update also marks the introduction of new contributors who have actively participated in enhancing the CRS. The full changelog details all modifications made from version 4.12.0 to 4.13.0, reflecting the community's ongoing efforts to improve web application security.
In addition to these changes, organizations using the OWASP CRS should consider integrating the latest version into their web application firewalls to take advantage of the improved detection capabilities and updated security features. Regular updates and community involvement are crucial for maintaining a robust defense against evolving cyber threats. As web application security continues to be a critical concern, staying informed about the latest developments in security tools like the OWASP CRS is essential for developers and security professionals alike
Notable improvements in this version include enhancements to the prototype pollution payload, modifications to prevent false positives related to email addresses, and the resolution of inconsistencies in tagging across files. New features consist of blocking headers associated with CVE-2025-29927 (Next.js), the addition of new cross-site scripting (XSS) payloads, and the inclusion of potentially harmful file extensions in the restricted extensions list. Furthermore, more default session cookie names have been added to bolster security against automated attacks.
The update also marks the introduction of new contributors who have actively participated in enhancing the CRS. The full changelog details all modifications made from version 4.12.0 to 4.13.0, reflecting the community's ongoing efforts to improve web application security.
In addition to these changes, organizations using the OWASP CRS should consider integrating the latest version into their web application firewalls to take advantage of the improved detection capabilities and updated security features. Regular updates and community involvement are crucial for maintaining a robust defense against evolving cyber threats. As web application security continues to be a critical concern, staying informed about the latest developments in security tools like the OWASP CRS is essential for developers and security professionals alike
OWASP CRS 4.13.0 released
The OWASP CRS covers a collection of generic attack detection rules aimed at safeguarding web applications against a range of threats, including those outlined in the OWASP Top Ten, while minimizing false alerts. The recent update, Coreruleset v4.13.0, introduces several important modifications, such as addressing the double URL decode issue, incorporating new features and detections, and eliminating rule 952100 related to the detection of Java Source Code Leakage. Additional modifications encompass the extension of the prototype pollution payload, rectification of false positives related to email, and the resolution of tag inconsistencies on a per-file basis.
