From 09a7c79e17bd01f875b6452ac04ffabe88c2def5 Mon Sep 17 00:00:00 2001
From: "andre.bolinhas" <andre.bolinhas@articatech.com>
Date: Mon, 9 Mar 2026 22:45:01 +0000
Subject: [PATCH] Update OWASP CRS rules to v4.24.1

Automated update via update-feed.sh
CRS version: v4.24.1
Rules extracted: 180
---
 rulesets.json | 92 +++++++++++++++++++++++++++++------------------------------
 1 file changed, 46 insertions(+), 46 deletions(-)

diff --git a/rulesets.json b/rulesets.json
index 46d80cb..0378854 100644
--- a/rulesets.json
+++ b/rulesets.json
@@ -1,5 +1,5 @@
 {
-  "build_datetime": "2026-03-08T16:29:52Z",
+  "build_datetime": "2026-03-09T22:45:00Z",
   "owasp_top_10": {
     "version": "2025",
     "url": "https://owasp.org/Top10/2025/",
@@ -107,9 +107,9 @@
     {
       "id": "crs-protocol-enforcement",
       "name": "CRS Protocol Enforcement",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Protocol Enforcement (12 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Protocol Enforcement (12 rules)",
       "author": "OWASP CRS Project",
       "priority": 15,
       "enabled": true,
@@ -359,9 +359,9 @@
     {
       "id": "crs-protocol-attack",
       "name": "CRS Protocol Attack (HTTP Smuggling)",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Protocol Attack (HTTP Smuggling) (10 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Protocol Attack (HTTP Smuggling) (10 rules)",
       "author": "OWASP CRS Project",
       "priority": 5,
       "enabled": true,
@@ -369,7 +369,7 @@
         {
           "id": "921110",
           "name": "HTTP Request Smuggling Attack",
-          "pattern": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d",
+          "pattern": "(?:get|p(?:(?:os|u)t|atch|rop(?:find|atch))|head|options|co(?:nnect|py)|delete|trac[ek]|m(?:kcol|ove)|(?:un)?lock)[\\s\\x0b]+[^\\s\\x0b]+[\\s\\x0b]+http/[0-9]",
           "targets": [
             "body",
             "query"
@@ -390,7 +390,7 @@
         {
           "id": "921120",
           "name": "HTTP Response Splitting Attack",
-          "pattern": "[\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w",
+          "pattern": "[\\n\\r][^0-9A-Z_a-z]*?(?:content-(?:type|length)|set-cookie|location):[\\s\\x0b]*[0-9A-Z_a-z]",
           "targets": [
             "all"
           ],
@@ -470,7 +470,7 @@
         {
           "id": "921160",
           "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)",
-          "pattern": "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:",
+          "pattern": "[\\n\\r]+(?:[\\s\\x0b]|location|re(?:fresh|mote-(?:ip|addr))|(?:set-)?cookie|forwarded-(?:(?:fo|serve)r|host)|host|via|originating-IP|x-(?:forwarded-(?:(?:fo|serve)r|host)|host|via|remote-(?:ip|addr)|originating-IP))[\\s\\x0b]*:",
           "targets": [
             "query"
           ],
@@ -571,9 +571,9 @@
     {
       "id": "crs-lfi",
       "name": "CRS Local File Inclusion (LFI)",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Local File Inclusion (LFI) (2 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Local File Inclusion (LFI) (2 rules)",
       "author": "OWASP CRS Project",
       "priority": 5,
       "enabled": true,
@@ -601,7 +601,7 @@
         {
           "id": "930110",
           "name": "Path Traversal Attack (/../) or (/.../)",
-          "pattern": "(?:(?:^|[\\x5c/;])\\.{2,3}[\\x5c/;]|[\\x5c/;]\\.{2,3}[\\x5c/;])",
+          "pattern": "(?:^|[/;\\x5c])\\.{2,3}[/;\\x5c]",
           "targets": [
             "all"
           ],
@@ -623,9 +623,9 @@
     {
       "id": "crs-rfi",
       "name": "CRS Remote File Inclusion (RFI)",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Remote File Inclusion (RFI) (3 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Remote File Inclusion (RFI) (3 rules)",
       "author": "OWASP CRS Project",
       "priority": 5,
       "enabled": true,
@@ -697,9 +697,9 @@
     {
       "id": "crs-rce",
       "name": "CRS Remote Code Execution (RCE)",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Remote Code Execution (RCE) (16 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Remote Code Execution (RCE) (16 rules)",
       "author": "OWASP CRS Project",
       "priority": 3,
       "enabled": true,
@@ -1030,9 +1030,9 @@
     {
       "id": "crs-php",
       "name": "CRS PHP Injection",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS PHP Injection (11 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS PHP Injection (11 rules)",
       "author": "OWASP CRS Project",
       "priority": 5,
       "enabled": true,
@@ -1262,9 +1262,9 @@
     {
       "id": "crs-generic-attack",
       "name": "CRS Generic Application Attack",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Generic Application Attack (5 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Generic Application Attack (5 rules)",
       "author": "OWASP CRS Project",
       "priority": 5,
       "enabled": true,
@@ -1293,7 +1293,7 @@
         {
           "id": "934130",
           "name": "JavaScript Prototype Pollution",
-          "pattern": "(?:__proto__|constructor\\s*(?:\\.|\\]?\\[)\\s*prototype)",
+          "pattern": "__proto__|constructor[\\s\\x0b]*(?:\\.|\\]?\\[)[\\s\\x0b]*prototype",
           "targets": [
             "all"
           ],
@@ -1378,9 +1378,9 @@
     {
       "id": "crs-xss",
       "name": "CRS Cross-Site Scripting (XSS)",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Cross-Site Scripting (XSS) (24 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Cross-Site Scripting (XSS) (24 rules)",
       "author": "OWASP CRS Project",
       "priority": 5,
       "enabled": true,
@@ -1528,7 +1528,7 @@
         {
           "id": "941190",
           "name": "IE XSS Filters - Attack Detected",
-          "pattern": "(?i:<style.*?>.*?(?:@[i\\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\x5c]|&#x?0*(?:40|28|92|5C);?)))",
+          "pattern": "(?i)<style.*?>.*?(?:@[\\x5ci]|(?:[:=]|&#x?0*(?:58|3[AD]|61);?).*?(?:[\\(\\x5c]|&#x?0*(?:40|28|92|5C);?))",
           "targets": [
             "all"
           ],
@@ -1748,7 +1748,7 @@
         {
           "id": "941300",
           "name": "IE XSS Filters - Attack Detected",
-          "pattern": "(?i)<OBJECT[\\s/+].*?(?:type|codetype|classid|code|data)[\\s/+]*=",
+          "pattern": "(?i)<OBJECT[\\s\\x0b\\+/].*?(?:type|c(?:ode(?:type)?|lassid)|data)[\\s\\x0b\\+/]*=",
           "targets": [
             "all"
           ],
@@ -1808,7 +1808,7 @@
         {
           "id": "941370",
           "name": "JavaScript global variable found",
-          "pattern": "(?:self|document|this|top|window)\\s*(?:/\\*|[\\[)]).+?(?:\\]|\\*/)",
+          "pattern": "(?:self|document|t(?:his|op)|window)[\\s\\x0b]*(?:/\\*|[\\)\\[]).+?(?:\\]|\\*/)",
           "targets": [
             "all"
           ],
@@ -1848,7 +1848,7 @@
         {
           "id": "941400",
           "name": "XSS JavaScript function without parentheses",
-          "pattern": "((?:\\[[^\\]]*\\][^.]*\\.)|Reflect[^.]*\\.).*(?:map|sort|apply)[^.]*\\..*call[^`]*`.*`",
+          "pattern": "((?:\\[[^\\]]*\\]|Reflect)[^\\.]*\\.).*(?:map|sort|apply)[^\\.]*\\..*call[^`]*`.*`",
           "targets": [
             "all"
           ],
@@ -1870,9 +1870,9 @@
     {
       "id": "crs-sqli",
       "name": "CRS SQL Injection (SQLi)",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS SQL Injection (SQLi) (20 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS SQL Injection (SQLi) (20 rules)",
       "author": "OWASP CRS Project",
       "priority": 3,
       "enabled": true,
@@ -2060,7 +2060,7 @@
         {
           "id": "942250",
           "name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections",
-          "pattern": "(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\"'`]|match\\s*?[\\w(),+-]+\\s*?against\\s*?\\()",
+          "pattern": "(?i)m(?:erge.*?using|atch[\\s\\x0b]*?[\\(\\)\\+-\\-0-9A-Z_a-z]+[\\s\\x0b]*?against)[\\s\\x0b]*?\\(|execute[\\s\\x0b]*?immediate[\\s\\x0b]*?[\"'`]",
           "targets": [
             "all"
           ],
@@ -2282,9 +2282,9 @@
     {
       "id": "crs-session-fixation",
       "name": "CRS Session Fixation",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Session Fixation (1 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Session Fixation (1 rules)",
       "author": "OWASP CRS Project",
       "priority": 10,
       "enabled": true,
@@ -2292,7 +2292,7 @@
         {
           "id": "943100",
           "name": "Possible Session Fixation Attack: Setting Cookie Values in HTML",
-          "pattern": "(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)",
+          "pattern": "(?i)\\.cookie\\b.*?;[^0-9A-Z_a-z]*?(?:expires|domain)[^0-9A-Z_a-z]*?=|\\bhttp-equiv[^0-9A-Z_a-z]+set-cookie\\b",
           "targets": [
             "all"
           ],
@@ -2314,9 +2314,9 @@
     {
       "id": "crs-java-attack",
       "name": "CRS Java / Deserialization Attack",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Java / Deserialization Attack (3 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Java / Deserialization Attack (3 rules)",
       "author": "OWASP CRS Project",
       "priority": 3,
       "enabled": true,
@@ -2386,9 +2386,9 @@
     {
       "id": "crs-data-leakage",
       "name": "CRS Data Leakage Detection",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Data Leakage Detection (2 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Data Leakage Detection (2 rules)",
       "author": "OWASP CRS Project",
       "priority": 15,
       "enabled": true,
@@ -2438,9 +2438,9 @@
     {
       "id": "crs-data-leakage-sql",
       "name": "CRS SQL Data Leakage",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS SQL Data Leakage (16 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS SQL Data Leakage (16 rules)",
       "author": "OWASP CRS Project",
       "priority": 15,
       "enabled": true,
@@ -2770,9 +2770,9 @@
     {
       "id": "crs-data-leakage-java",
       "name": "CRS Java Data Leakage",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Java Data Leakage (1 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Java Data Leakage (1 rules)",
       "author": "OWASP CRS Project",
       "priority": 15,
       "enabled": true,
@@ -2802,9 +2802,9 @@
     {
       "id": "crs-data-leakage-php",
       "name": "CRS PHP Data Leakage",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS PHP Data Leakage (2 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS PHP Data Leakage (2 rules)",
       "author": "OWASP CRS Project",
       "priority": 15,
       "enabled": true,
@@ -2854,9 +2854,9 @@
     {
       "id": "crs-data-leakage-iis",
       "name": "CRS IIS Data Leakage",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS IIS Data Leakage (2 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS IIS Data Leakage (2 rules)",
       "author": "OWASP CRS Project",
       "priority": 15,
       "enabled": true,
@@ -2906,9 +2906,9 @@
     {
       "id": "crs-web-shells",
       "name": "CRS Web Shell Detection",
-      "version": "4.24.0",
+      "version": "4.24.1",
       "source": "owasp-crs",
-      "description": "OWASP CRS v4.24.0 — CRS Web Shell Detection (23 rules)",
+      "description": "OWASP CRS v4.24.1 — CRS Web Shell Detection (23 rules)",
       "author": "OWASP CRS Project",
       "priority": 3,
       "enabled": true,