Coraza, Coraza Waf, Coreruleset, Downloads, Hacking Tools, OWASP CRS

OWASP Coraza WAF – A Golang Modsecurity Compatible Web Application Firewall Library

Welcome to OWASP Coraza Web Application Firewall, OWASP Coraza is a golang enterprise-grade Web Application Firewall framework that supports Modsecurity’s seclang language and is 100% compatible with OWASP Core Ruleset.



  • Linux distribution (Debian and Centos are recommended, Windows is not supported yet)
  • Golang compiler v1.16+

Migrate from v1

  • Rollback SecAuditLog to the legacy syntax (serial/concurrent)
  • Attach an error log handler using waf.SetErrorLogCb(cb) (optional)
  • the function Transaction.Clean() must be used to clear transaction data, files and take them back to the sync pool.
  • If you are using @rx with libpcre (CRS) install the plugin
  • If you are using low level APIs check the complete changelog as most of them were removed.

Running the tests

Run the go tests:

go test ./...
go test -race ./...

Using pre-commit

pip install pre-commit
pre-commit run --all-files

You can also install the pre-commit git hook by running

pre-commit install

Coraza v2 differences with v1

  • Full internal API refactor, public API has not changed
  • Full audit engine refactor with plugins support
  • New enhanced plugins interface for transformations, actions, body processors, and operators
  • We are fully compliant with Seclang from modsecurity v2
  • Many features removed and transformed into plugins: XML (Mostly), GeoIP and PCRE regex
  • Better debug logging
  • New error logging (like modsecurity)
  • Better performance

Your first Coraza WAF project

package main

func main() {
// First we initialize our waf and our seclang parser
waf := coraza.NewWaf()
parser, _ := seclang.NewParser(waf)

// Now we parse our rules
if err := parser.FromString(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`); err != nil {

// Then we create a transaction and assign some variables
tx := waf.NewTransaction()
defer func(){
tx.ProcessConnection("", 8080, "", 12345)

// Finally we process the request headers phase, which may return an interruption
if it := tx.ProcessRequestHeaders(); it != nil {
fmt.Printf("Transaction was interrupted with status %d\n", it.Status)

Why Coraza WAF?


  • Simplicity: Anyone should be able to understand and modify Coraza WAF’s source code
  • Extensibility: It should be easy to extend Coraza WAF with new functionalities
  • Innovation: Coraza WAF isn’t just a ModSecurity port. It must include awesome new functions (in the meantime, it’s just a port )
  • Community: Coraza WAF is a community project, and all ideas will be considered


  • New rule language
  • GraphQL body processor
  • C exports
  • WASM scripts support

Coraza WAF implementations

Some useful tools


Dependency issues:

go get:[email protected]: parsing go.mod:
module declares its path as:
but was required as:

Coraza was migrated from to Most dependencies has already been updated to use the new repo, but you must make sure they all use v2.0.0-rc.3+. You may use the following command to fix the error:

How to contribute

Contributions are welcome. There are many TODOs, functionalities, fixes, bug reports, and any help you can provide. Just send your PR.

cd /path/to/coraza
egrep -Rin "TODO|FIXME" -R --exclude-dir=vendor *

Special thanks

  • Modsecurity team for creating ModSecurity
  • OWASP Coreruleset team for the CRS and their help

Companies using Coraza

Author on Twitter


For donations, see Donations site

Source : KitPloit – PenTest Tools!

Previous ArticleNext Article
Send this to a friend