From d8d8e32cc5049fa05ddeb8d94a668b7a04900868 Mon Sep 17 00:00:00 2001 From: Andre Bolinhas Date: Fri, 6 Mar 2026 16:44:24 +0000 Subject: [PATCH] rulesets.json --- rulesets.json | 5974 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 5974 insertions(+) create mode 100644 rulesets.json diff --git a/rulesets.json b/rulesets.json new file mode 100644 index 0000000..6c5c5f4 --- /dev/null +++ b/rulesets.json @@ -0,0 +1,5974 @@ +{ + "owasp_top_10": { + "version": "2025", + "url": "https://owasp.org/Top10/2025/", + "items": [ + { + "id": "A01", + "name": "Broken Access Control", + "categories": [ + "lfi", + "rfi", + "open_redirect", + "ssrf" + ], + "color": "red" + }, + { + "id": "A02", + "name": "Security Misconfiguration", + "categories": [ + "xxe", + "protocol", + "header_injection" + ], + "color": "orange" + }, + { + "id": "A03", + "name": "Software Supply Chain Failures", + "categories": [ + "log4shell", + "rce", + "cve", + "deserialization" + ], + "color": "red" + }, + { + "id": "A04", + "name": "Cryptographic Failures", + "categories": [ + "protocol" + ], + "color": "orange" + }, + { + "id": "A05", + "name": "Injection", + "categories": [ + "sqli", + "xss", + "nosqli", + "ldapi", + "cmdi", + "ssti", + "log_injection" + ], + "color": "red" + }, + { + "id": "A06", + "name": "Insecure Design", + "categories": [ + "ssti", + "prototype_pollution" + ], + "color": "yellow" + }, + { + "id": "A07", + "name": "Authentication Failures", + "categories": [ + "session_fixation" + ], + "color": "orange" + }, + { + "id": "A08", + "name": "Software & Data Integrity Failures", + "categories": [ + "deserialization" + ], + "color": "orange" + }, + { + "id": "A09", + "name": "Security Logging & Alerting Failures", + "categories": [ + "log_injection", + "data_leakage" + ], + "color": "yellow" + }, + { + "id": "A10", + "name": "Mishandling of Exceptional Conditions", + "categories": [ + "protocol", + "custom" + ], + "color": "yellow" + } + ] + }, + "rulesets": [ + { + "id": "crs-protocol-enforcement", + "name": "CRS Protocol Enforcement", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Protocol Enforcement (30 rules)", + "author": "OWASP CRS Project", + "priority": 15, + "enabled": true, + "rules": [ + { + "id": "920100", + "name": "Invalid HTTP Request Line", + "pattern": "(?i)^(?:get /[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sx0b]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?)[sx0b]+[.-9A-Z_a-z]+)$", + "targets": [ + "uri" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920120", + "name": "Attempted multipart/form-data bypass", + "pattern": "(?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920160", + "name": "Content-Length HTTP header is not numeric", + "pattern": "^d+$", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920170", + "name": "GET or HEAD Request with Body Content", + "pattern": "^(?:GET|HEAD)$", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920171", + "name": "GET or HEAD Request with Transfer-Encoding", + "pattern": "^(?:GET|HEAD)$", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920190", + "name": "Range: Invalid Last Byte Value", + "pattern": "(d+)-(d+)", + "targets": [ + "headers" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920210", + "name": "Multiple/Conflicting Connection Header Data Found", + "pattern": "b(?:keep-alive|close),s?(?:keep-alive|close)b", + "targets": [ + "headers" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920260", + "name": "Unicode Full/Half Width Abuse Attack Attempt", + "pattern": "(?i)%uff[0-9a-f]{2}", + "targets": [ + "body", + "uri" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153/267/72" + ] + }, + { + "id": "920290", + "name": "Empty Host Header", + "pattern": "^$", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920310", + "name": "Request Has an Empty Accept Header", + "pattern": "^$", + "targets": [ + "headers" + ], + "action": "block", + "score": 3, + "severity": "low", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920311", + "name": "Request Has an Empty Accept Header", + "pattern": "^$", + "targets": [ + "headers" + ], + "action": "block", + "score": 3, + "severity": "low", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920330", + "name": "Empty User Agent Header", + "pattern": "^$", + "targets": [ + "headers" + ], + "action": "block", + "score": 3, + "severity": "low", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920340", + "name": "Content-Type header missing from request with non-zero Content-Length", + "pattern": "^0$", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920350", + "name": "Host header is a numeric IP address", + "pattern": "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)", + "targets": [ + "headers" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920470", + "name": "Illegal Content-Type header", + "pattern": "^[w/.+*-]+(?:s?;s*(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153" + ] + }, + { + "id": "920420", + "name": "Request content type is not allowed by policy", + "pattern": "^[^;s]+", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153" + ] + }, + { + "id": "920480", + "name": "Request content type charset is not allowed by policy", + "pattern": "charsets*=s*[", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153" + ] + }, + { + "id": "920530", + "name": "Multiple charsets detected in content type header", + "pattern": "charset.*?charset", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153" + ] + }, + { + "id": "920440", + "name": "URL file extension is restricted by policy", + "pattern": ".([^.]+)$", + "targets": [ + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920500", + "name": "Attempt to access a backup or working file", + "pattern": ".[^.~]+~(?:/.*|)$", + "targets": [ + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920450", + "name": "HTTP header is restricted by policy (%{MATCHED_VAR})", + "pattern": "^.*$", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920600", + "name": "Illegal Accept header: charset parameter", + "pattern": "^(?:(?:*|[^!", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT" + ] + }, + { + "id": "920200", + "name": "Range: Too many fields (6 or more)", + "pattern": "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}", + "targets": [ + "headers" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920230", + "name": "Multiple URL Encoding Detected", + "pattern": "%[0-9a-fA-F]{2}", + "targets": [ + "query" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153/267/120" + ] + }, + { + "id": "920121", + "name": "Attempted multipart/form-data bypass", + "pattern": "['", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920451", + "name": "HTTP header is restricted by policy (%{MATCHED_VAR})", + "pattern": "^.*$", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920240", + "name": "URL Encoding Abuse Attack Attempt", + "pattern": "^(?i)application/x-www-form-urlencoded", + "targets": [ + "headers" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153/267/72" + ] + }, + { + "id": "920521", + "name": "Illegal Accept-Encoding header", + "pattern": "br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153" + ] + }, + { + "id": "920275", + "name": "Invalid character in request headers (outside of very strict set)", + "pattern": "^(?:?[01])?$", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ] + }, + { + "id": "920460", + "name": "Abnormal character escapes in request", + "pattern": "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/153/267" + ] + } + ] + }, + { + "id": "crs-protocol-attack", + "name": "CRS Protocol Attack (HTTP Smuggling)", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Protocol Attack (HTTP Smuggling) (14 rules)", + "author": "OWASP CRS Project", + "priority": 5, + "enabled": true, + "rules": [ + { + "id": "921110", + "name": "HTTP Request Smuggling Attack", + "pattern": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/33" + ] + }, + { + "id": "921120", + "name": "HTTP Response Splitting Attack", + "pattern": "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/34" + ] + }, + { + "id": "921130", + "name": "HTTP Response Splitting Attack", + "pattern": "(?:bhttp/d|<(?:html|meta)b)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/34" + ] + }, + { + "id": "921140", + "name": "HTTP Header Injection Attack via headers", + "pattern": "[nr]", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/273" + ] + }, + { + "id": "921150", + "name": "HTTP Header Injection Attack via payload (CR/LF detected)", + "pattern": "[nr]", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/33" + ] + }, + { + "id": "921160", + "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)", + "pattern": "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/33" + ] + }, + { + "id": "921190", + "name": "HTTP Splitting (CR/LF in request filename detected)", + "pattern": "[nr]", + "targets": [ + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/34" + ] + }, + { + "id": "921200", + "name": "LDAP Injection Attack", + "pattern": "^[^!&():<>|~]*)[sx0b]*(?:((?:[^!&(),<->|~]+[<>~]?=|[sx0b]*[!&|][sx0b]*[()]?[sx0b]*)|)[sx0b]*([sx0b]*[!&|][sx0b]*|[!&|][sx0b]*([^!&(),<->|~]+[<>~]?=[^!&():<>|~]*)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/152/248/136" + ] + }, + { + "id": "921421", + "name": "Content-Type header: Dangerous content type outside the mime type declaration", + "pattern": "^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/255/153" + ] + }, + { + "id": "921240", + "name": "mod_proxy attack attempt detected", + "pattern": "unix:[^|]*|", + "targets": [ + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/33" + ] + }, + { + "id": "921151", + "name": "HTTP Header Injection Attack via payload (CR/LF detected)", + "pattern": "[nr]", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/33" + ] + }, + { + "id": "921422", + "name": "Content-Type header: Dangerous content type outside the mime type declaration", + "pattern": "^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/255/153" + ] + }, + { + "id": "921210", + "name": "HTTP Parameter Pollution after detecting bogus char after parameter array", + "pattern": "(][^]]+$|][^]]+[)", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/152/137/15/460" + ] + }, + { + "id": "921220", + "name": "HTTP Parameter Pollution possible via array notation", + "pattern": "[", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/152/137/15/460" + ] + } + ] + }, + { + "id": "crs-multipart-attack", + "name": "CRS Multipart Attack", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Multipart Attack (3 rules)", + "author": "OWASP CRS Project", + "priority": 10, + "enabled": true, + "rules": [ + { + "id": "922110", + "name": "Illegal MIME Multipart Header content-type: charset parameter", + "pattern": "^(?:(?:*|[^!", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-multipart-header", + "attack-protocol", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/MULTIPART-ATTACK", + "capec/272/220" + ] + }, + { + "id": "922120", + "name": "Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used", + "pattern": "content-transfer-encoding:(.*)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-multipart-header", + "attack-deprecated-header", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/MULTIPART-ATTACK", + "capec/272/220" + ] + }, + { + "id": "922130", + "name": "Multipart header contains characters outside of valid range", + "pattern": "[^x21-x7E][x21-x39x3B-x7E]*:", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-multipart-header", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/MULTIPART-ATTACK", + "capec/272/220" + ] + } + ] + }, + { + "id": "crs-lfi", + "name": "CRS Local File Inclusion (LFI)", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Local File Inclusion (LFI) (2 rules)", + "author": "OWASP CRS Project", + "priority": 5, + "enabled": true, + "rules": [ + { + "id": "930100", + "name": "Path Traversal Attack (/../) or (/.../)", + "pattern": "(?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[01]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "lfi", + "enabled": true, + "tags": [ + "attack-lfi", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-LFI", + "capec/1000/255/153/126" + ] + }, + { + "id": "930110", + "name": "Path Traversal Attack (/../) or (/.../)", + "pattern": "(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}[x5c/;])", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "lfi", + "enabled": true, + "tags": [ + "attack-lfi", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-LFI", + "capec/1000/255/153/126" + ] + } + ] + }, + { + "id": "crs-rfi", + "name": "CRS Remote File Inclusion (RFI)", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Remote File Inclusion (RFI) (5 rules)", + "author": "OWASP CRS Project", + "priority": 5, + "enabled": true, + "rules": [ + { + "id": "931100", + "name": "Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address", + "pattern": "(?i)^(file|ftps?|https?|ssh)://(?:[?[a-f0-9]+:[a-f0-9:]+]?|d{1,3}.d{1,3}.d{1,3}.d{1,3})", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rfi", + "enabled": true, + "tags": [ + "attack-rfi", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RFI", + "capec/1000/152/175/253" + ] + }, + { + "id": "931110", + "name": "Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload", + "pattern": "(?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rfi", + "enabled": true, + "tags": [ + "attack-rfi", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RFI", + "capec/1000/152/175/253" + ] + }, + { + "id": "931120", + "name": "Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)", + "pattern": "^(?i:file|ftps?|https?).*??+$", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rfi", + "enabled": true, + "tags": [ + "attack-rfi", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RFI", + "capec/1000/152/175/253" + ] + }, + { + "id": "931130", + "name": "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link", + "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://?(?:[^@]+@)?([^/]*)", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rfi", + "enabled": true, + "tags": [ + "attack-rfi", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RFI", + "capec/1000/152/175/253" + ] + }, + { + "id": "931131", + "name": "Possible Remote File Inclusion (RFI) Attack", + "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)", + "targets": [ + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rfi", + "enabled": true, + "tags": [ + "attack-rfi", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RFI", + "capec/1000/152/175/253" + ] + } + ] + }, + { + "id": "crs-rce", + "name": "CRS Remote Code Execution (RCE)", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Remote Code Execution (RCE) (42 rules)", + "author": "OWASP CRS Project", + "priority": 3, + "enabled": true, + "rules": [ + { + "id": "932230", + "name": "Remote Command Execution: Unix Command Injection (2-3 chars)", + "pattern": "(?i)(?:b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932235", + "name": "Remote Command Execution: Unix Command Injection (command without evasion)", + "pattern": "(?i)(?:b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932125", + "name": "Remote Command Execution: Windows Powershell Alias Command Injection", + "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932130", + "name": "Remote Command Execution: Unix Shell Expression Found", + "pattern": "$(?:((?:[^)]+|([^)]+)))|{[^}]+}|[[^]]*])|[<>]([^)]+)|/[0-9A-Z_a-z]*[[^]]+]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932140", + "name": "Remote Command Execution: Windows FOR/IF Command Found", + "pattern": "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sx0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932270", + "name": "Remote Command Execution: Unix Shell Expression Found", + "pattern": "~[+-](?:$|[0-9]+)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932280", + "name": "Remote Command Execution: Brace Expansion Found", + "pattern": "{[0-9A-Z_a-z]*,[,-0-9A-Z_a-z]*}", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932250", + "name": "Remote Command Execution: Direct Unix Command Execution", + "pattern": "(?i)(?:^|b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932260", + "name": "Remote Command Execution: Direct Unix Command Execution", + "pattern": "(?i)(?:^|b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932340", + "name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)", + "pattern": "(?i)(?:b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932330", + "name": "Remote Command Execution: Unix shell history invocation", + "pattern": "!-d", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932170", + "name": "Remote Command Execution: Shellshock (CVE-2014-6271)", + "pattern": "^(s*)s+{", + "targets": [ + "headers", + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932171", + "name": "Remote Command Execution: Shellshock (CVE-2014-6271)", + "pattern": "^(s*)s+{", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932175", + "name": "Remote Command Execution: Unix shell alias invocation", + "pattern": "ba[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932370", + "name": "Remote Command Execution: Windows Command Injection", + "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932380", + "name": "Remote Command Execution: Windows Command Injection", + "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932371", + "name": "Remote Command Execution: Windows Command Injection", + "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932231", + "name": "Remote Command Execution: Unix Command Injection", + "pattern": "(?:b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932131", + "name": "Remote Command Execution: Unix Shell Expression Found", + "pattern": "$(?:((?:[^)]+|([^)]+)))|{[^}]+}|[[^]]*])|[<>]([^)]+)|/[0-9A-Z_a-z]*[[^]]+]", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932200", + "name": "RCE Bypass Technique", + "pattern": "['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932205", + "name": "RCE Bypass Technique", + "pattern": "^[^#]+", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932206", + "name": "RCE Bypass Technique", + "pattern": "^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{])", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932207", + "name": "RCE Bypass Technique", + "pattern": "#.*", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932220", + "name": "Remote Command Execution: Unix Command Injection with pipe", + "pattern": "(?i).|(?:[sx0b]*|b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932240", + "name": "Remote Command Execution: Unix Command Injection evasion attempt detected", + "pattern": "(?i)[-0-9_a-z]+(?:[sx0b]*[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932281", + "name": "Remote Command Execution: Brace Expansion Found", + "pattern": "{[^sx0b,:}]*,[^sx0b]*}", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932210", + "name": "Remote Command Execution: SQLite System Command Execution", + "pattern": ";[sx0b]*.[sx0b]*[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932271", + "name": "Remote Command Execution: Unix Shell Expression Found", + "pattern": "~[0-9]+", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932300", + "name": "Remote Command Execution: SMTP Command Execution", + "pattern": "(?i)rn.*?b(?:E(?:HLO[sx0b][-.a-z]{1,255}|XPN[sx0b].{1,64})|HELO[sx0b][-.a-z]{1,255}|MAIL[sx0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[sx0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SETb)|VRFY[sx0b].{1,64}(?:[sx0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[sx0b][-0-9_a-z]{1,20}[sx0b](?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=|STARTTLSb|NOOPb(?:[sx0b].{1,255})?)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ] + }, + { + "id": "932310", + "name": "Remote Command Execution: IMAP Command Execution", + "pattern": "(?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ] + }, + { + "id": "932320", + "name": "Remote Command Execution: POP3 Command Execution", + "pattern": "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ] + }, + { + "id": "932236", + "name": "Remote Command Execution: Unix Command Injection (command without evasion)", + "pattern": "(?i)(?:^|b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932239", + "name": "Remote Command Execution: Unix Command Injection found in user-agent or referer header", + "pattern": "(?i)(?:^|b[", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932232", + "name": "Remote Command Execution: Unix Command Injection", + "pattern": "(?:b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932237", + "name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS", + "pattern": "(?i)b(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[sx0b&),<>|]|a(?:a-[^sx0b]{1,10}b|(?:b|t(?:obm)?|w[ks]|l(?:ias|pine)|xel)[sx0b&),<>|]|p(?:t(?:(?:itude)?[sx0b&),<>|]|-get)|parmor_[^sx0b]{1,10}b)|r(?:(?:p|ch)?[sx0b&),<>|]|j(?:[sx0b&),<>|]|-register|disp)|ia2c)|s(?:h?[sx0b&),<>|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[sx0b&),<>|]|diff|e(?:grep|xe[sx0b&),<>|])|f?grep|ip2(?:[sx0b&),<>|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sx0b&),<>|]|c))|h[sx0b&),<>|])|tch[sx0b&),<>|])|lkid[sx0b&),<>|]|pftrace|r(?:eaksw|(?:idge|wap)[sx0b&),<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sx0b&),<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[sx0b&),<>|]))|c(?:[89]9(?:[sx0b&),<>|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[sx0b&),<>|]|p(?:(?:an|io)?[sx0b&),<>|]|ulimit)|s(?:(?:h|cli)[sx0b&),<>|]|plit|vtool)|u(?:t[sx0b&),<>|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[sx0b&),<>|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[sx0b&),-<>|])|(?:flag|pas)s|g(?:passwd|rp[sx0b&),<>|]))|lang(?:++|[sx0b&),<>|])|o(?:bc(?:[sx0b&),<>|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sx0b&),<>|]|proc|w(?:say|think))|r(?:ash[sx0b&),<>|]|on(?:[sx0b&),<>|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[sx0b&),<>|]|nf[sx0b&),<>|]?|hclient|m(?:esg[sx0b&),<>|]|idecode|setup)|o(?:(?:as|ne)[sx0b&),<>|]|cker[sx0b&),-<>|]|sbox)|pkg[sx0b&),-<>|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[sx0b&),<>|]|n(?:v(?:[sx0b&),<>|]|-update)|d(?:if|sw)[sx0b&),<>|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[sx0b&),<>|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[sx0b&),<>|]|i(?:(?:n(?:d|ger)|sh)?[sx0b&),<>|]|le(?:[sx0b&),<>|]|test))|tp(?:[sx0b&),<>|]|stats|who)|acter|d(?:(?:find|isk)[sx0b&),<>|]|u?mount)|o(?:ld[sx0b&),<>|]|reach)|ping[sx0b&),6<>|])|g(?:c(?:c[^sx0b]{1,10}b|ore[sx0b&),<>|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[sx0b&),<>|]|e(?:m[sx0b&),<>|]|ni(?:e[sx0b&),<>|]|soimage)|t(?:cap|facl[sx0b&),<>|]))|hc(?:-?[sx0b&),<>|]|i[sx0b&),-<>|])|r(?:(?:c(?:at)?|ep)[sx0b&),<>|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[sx0b&),<>|]|e(?:ad[sx0b&),<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[sx0b&),<>|]|passwd))|i(?:(?:d|rb|conv|nstall)[sx0b&),<>|]|p(?:[sx0b&),<>|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[sx0b&),<>|])|onice|spell)|j(?:(?:js|q|ava|exec)[sx0b&),<>|]|o(?:(?:bs|in)[sx0b&),<>|]|urnalctl)|runscript)|k(?:s(?:h[sx0b&),<>|]|shell)|ill(?:[sx0b&),<>|]|all)|nife[sx0b&),<>|])|l(?:d(?:d?[sx0b&),<>|]|config)|(?:[np]|ynx)[sx0b&),<>|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[sx0b&),<>|]|b_release)|ua(?:[sx0b&),<>|]|(?:la)?tex)|z(?:4(?:[sx0b&),<>|]|c(?:[sx0b&),<>|]|at))|(?:c(?:at|mp))?[sx0b&),<>|]|diff|[ef]?grep|less|m(?:a(?:[sx0b&),<>|]|dec|info)|ore))|a(?:st(?:(?:comm)?[sx0b&),<>|]|log(?:in)?)|tex[sx0b&),<>|])|ess(?:[sx0b&),<>|]|echo|(?:fil|pip)e)|ftp(?:[sx0b&),<>|]|get)|o(?:(?:ca(?:l|te)|ok)[sx0b&),<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[sx0b&),<>|]|k(?:(?:dir|nod)[sx0b&),<>|]|fifo|temp)|locate|o(?:(?:re|unt)[sx0b&),<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[sx0b&),<>|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[sx0b&),<>|]|.(?:openbsd|traditional))|e(?:t(?:[sx0b&),<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[sx0b&),<>|]|s(?:enter|lookup|tat[sx0b&),<>|]))|o(?:(?:d|ctave)[sx0b&),<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[sx0b&),<>|]))|p(?:a(?:(?:x|cman|rted|tch)[sx0b&),<>|]|s(?:swd|te[sx0b&),<>|]))|d(?:b(?:[sx0b&),<>|]|2mb|3[sx0b&),.<>|])|f(?:la)?tex|ksh[sx0b&),<>|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[sx0b&),<>|]|hp(?:[57]?[sx0b&),<>|]|-cgi)|i(?:(?:co?|gz|ng6?)[sx0b&),<>|]|p(?:[sx0b&),<>|]|[^sx0b]{1,10}b)|dstat)|k(?:g(?:[sx0b&),<>|]|_?info)|exec|ill[sx0b&),<>|])|r(?:y?[sx0b&),<>|]|int(?:env|f[sx0b&),<>|]))|s(?:(?:ed|ql)?[sx0b&),<>|]|ftp)|t(?:x[sx0b&),<>|]|ar(?:[sx0b&),<>|]|diff|grep))|er(?:(?:f|ms)[sx0b&),<>|]|l(?:5?[sx0b&),<>|]|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[sx0b&),<>|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[sx0b&),<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sx0b&),<>|]|t(?:[sx0b&),<>|]|-(?:dump|tar))|user)|pm(?:(?:db)?[sx0b&),<>|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[sx0b&),<>|])|u(?:by[^sx0b]{1,10}b|n(?:-(?:mailcap|parts)|c[sx0b&),<>|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[sx0b&),<>|]|e(?:(?:d|ndmail|rvice)[sx0b&),<>|]|t(?:(?:facl)?[sx0b&),<>|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[sx0b&),<>|]|.distrib)|s(?:[sx0b&),<>|]|h(?:[sx0b&),<>|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[sx0b&),<>|]|do(?:-rs|[sx0b&),<>_|]|edit|replay))|vn(?:[sx0b&),<>|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[sx0b&),<>|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[sx0b&),<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[sx0b&),<>|]|sk(?:[sx0b&),<>|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[sx0b&),<>|]|e(?:[ex][sx0b&),<>|]|lnet)|i(?:c[sx0b&),<>|]|me(?:(?:out)?[sx0b&),<>|]|datectl))|c(?:l?sh[sx0b&),<>|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[sx0b&),<>|])|off[sx0b&),<>|])|shark)|u(?:l(?:imit)?[sx0b&),<>|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[sx0b&),<>|]|expand|l(?:ink[sx0b&),<>|]|z(?:4[sx0b&),<>|]|ma))|pigz|z(?:ip[sx0b&),<>|]|std))|p(?:2date[sx0b&),<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:[ep]w|gr|rsh)?[sx0b&),<>|]|m(?:[sx0b&),<>|]|diff)|sudo(?:-rs)?)|algrind|olatility[sx0b&),<>|])|w(?:(?:c|a(?:ll|tch))?[sx0b&),<>|]|h(?:o(?:(?:is)?[sx0b&),<>|]|ami)?|iptail[sx0b&),<>|])|i(?:reshark|sh[sx0b&),<>|]))|x(?:(?:(?:x|pa)d|args|term)[sx0b&),<>|]|z(?:(?:c(?:at|mp))?[sx0b&),<>|]|d(?:ec[sx0b&),<>|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[sx0b&),<>|])|mo(?:dmap|re[sx0b&),<>|]))|z(?:ip(?:[sx0b&),<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[sx0b&),<>|]|oelim|td(?:[sx0b&),<>|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[sx0b&),<>|]|[ef]grep|mo(?:dload|re[sx0b&),<>|])|ypper))(?:b|[^0-9A-Z_a-z])", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932238", + "name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS", + "pattern": "(?i)(?:^|b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932190", + "name": "Remote Command Execution: Wildcard bypass technique attempt", + "pattern": "(?i)/(?:[*?]+[/-9A-Z_a-z]|[/-9A-Z_a-z]+[*?])", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932350", + "name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)", + "pattern": "(?i)(?:^|b[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + }, + { + "id": "932301", + "name": "Remote Command Execution: SMTP Command Execution", + "pattern": "rn.*?b(?:DATA|QUIT|HELP(?: .{1,255})?)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ] + }, + { + "id": "932311", + "name": "Remote Command Execution: IMAP Command Execution", + "pattern": "(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ] + }, + { + "id": "932321", + "name": "Remote Command Execution: POP3 Command Execution", + "pattern": "rn.*?b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ] + }, + { + "id": "932331", + "name": "Remote Command Execution: Unix shell history invocation", + "pattern": "!(?:d|!)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ] + } + ] + }, + { + "id": "crs-php", + "name": "CRS PHP Injection", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS PHP Injection (18 rules)", + "author": "OWASP CRS Project", + "priority": 5, + "enabled": true, + "rules": [ + { + "id": "933100", + "name": "PHP Injection Attack: PHP Open Tag Found", + "pattern": "(?i)]*%>)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-ssti", + "attack-injection-generic", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-GENERIC", + "capec/1000/152/242" + ] + } + ] + }, + { + "id": "crs-xss", + "name": "CRS Cross-Site Scripting (XSS)", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Cross-Site Scripting (XSS) (31 rules)", + "author": "OWASP CRS Project", + "priority": 5, + "enabled": true, + "rules": [ + { + "id": "941100", + "name": "XSS Attack Detected via libinjection", + "pattern": "@detectXSS", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941110", + "name": "XSS Filter - Category 1: Script Tag Vector", + "pattern": "(?i)]*>[sS]*?", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941120", + "name": "XSS Filter - Category 2: Event Handler Vector", + "pattern": "(?i)[s", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941130", + "name": "XSS Filter - Category 3: Attribute Vector", + "pattern": "(?i).(?:b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)b|pattern[sx0b]*=)|(?:!ENTITY[sx0b]+(?:%[sx0b]+)?[^sx0b]+[sx0b]+(?:SYSTEM|PUBLIC)|@import|;base64)b)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941140", + "name": "XSS Filter - Category 4: Javascript URI Vector", + "pattern": "(?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941160", + "name": "NoScript XSS InjectionChecker: HTML Injection", + "pattern": "(?i)<[^0-9<>A-Z_a-z]*(?:[^sx0b", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941170", + "name": "NoScript XSS InjectionChecker: Attribute Injection", + "pattern": "(?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941190", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i:.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941200", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941210", + "name": "Javascript Word Detected", + "pattern": "(?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941220", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941230", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i)]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941300", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i)]*[xbe>]|<[^xbe]*xbe", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941350", + "name": "UTF-7 Encoding IE XSS - Attack Detected", + "pattern": "+ADw-.*(?:+AD4-|>)|<.*+AD4-", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941360", + "name": "JSFuck / Hieroglyphy obfuscation detected", + "pattern": "![!+ ][]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242/63" + ] + }, + { + "id": "941370", + "name": "JavaScript global variable found", + "pattern": "(?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242/63" + ] + }, + { + "id": "941390", + "name": "Javascript method detected", + "pattern": "(?i)b(?:eval|set(?:timeout|interval)|new[sx0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole.(?:log|dir))|fetch)[sx0b]*[({]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941400", + "name": "XSS JavaScript function without parentheses", + "pattern": "((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941101", + "name": "XSS Attack Detected via libinjection", + "pattern": "@detectXSS", + "targets": [ + "headers", + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941150", + "name": "XSS Filter - Category 5: Disallowed HTML Attributes", + "pattern": "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941320", + "name": "Possible XSS Attack Detected - HTML Tag Handler", + "pattern": "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242/63" + ] + }, + { + "id": "941330", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i:[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941340", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i)[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ] + }, + { + "id": "941380", + "name": "AngularJS client side template injection detected", + "pattern": "{{.*?}}", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242/63" + ] + } + ] + }, + { + "id": "crs-sqli", + "name": "CRS SQL Injection (SQLi)", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS SQL Injection (SQLi) (60 rules)", + "author": "OWASP CRS Project", + "priority": 3, + "enabled": true, + "rules": [ + { + "id": "942100", + "name": "SQL Injection Attack Detected via libinjection", + "pattern": "@detectSQLi", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942140", + "name": "SQL Injection Attack: Common DB Names Detected", + "pattern": "(?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942151", + "name": "SQL Injection Attack: SQL function name detected", + "pattern": "(?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942160", + "name": "Detects blind sqli tests using sleep() or benchmark()", + "pattern": "(?i:sleeps*?(.*?)|benchmarks*?(.*?,.*?))", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942170", + "name": "Detects SQL benchmark and sleep injection attempts including conditional queries", + "pattern": "(?i)(?:select|;)[sx0b]+(?:benchmark|if|sleep)[sx0b]*?([sx0b]*?(?[sx0b]*?[0-9A-Z_a-z]+", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942190", + "name": "Detects MSSQL code execution and information gathering attempts", + "pattern": "(?i)[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942220", + "name": "Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \"magic number\" crash", + "pattern": "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942230", + "name": "Detects conditional SQL injection attempts", + "pattern": "(?i)[sx0b()]case[sx0b]+when.*?then|)[sx0b]*?like[sx0b]*?(|select.*?having[sx0b]*?[^sx0b]+[sx0b]*?[^sx0b0-9A-Z_a-z]|if[sx0b]?([0-9A-Z_a-z]+[sx0b]*?[<->~]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942240", + "name": "Detects MySQL charset switch and MSSQL DoS attempts", + "pattern": "(?i)alter[sx0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sx0b]+set[sx0b]+[0-9A-Z_a-z]+|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942250", + "name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections", + "pattern": "(?i:merge.*?usings*?(|executes*?immediates*?[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942270", + "name": "Looking for basic sql injection. Common attack string for mysql, oracle and others", + "pattern": "(?i)union.*?select.*?from", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942280", + "name": "Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts", + "pattern": "(?i)select[sx0b]*?pg_sleep|waitfor[sx0b]*?delay[sx0b]?[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942290", + "name": "Finds basic MongoDB SQL injection attempts", + "pattern": "(?i)[?$(?:a(?:bs|c(?:cumulator|osh?)|dd(?:ToSet)?|ll(?:ElementsTrue)?|n(?:d|yElementTrue)|rray(?:ElemA|ToObjec)t|sinh?|tan[2h]?|vg)|b(?:etween|i(?:narySize|t(?:And|Not|(?:O|Xo)r)?)|ottomN?|sonSize|ucket(?:Auto)?)|c(?:eil|mp|o(?:n(?:cat(?:Arrays)?|d|vert)|sh?|unt|variance(?:Po|Sam)p)|urrentDate)|d(?:a(?:te(?:Add|Diff|From(?:Parts|String)|Subtract|T(?:o(?:Parts|String)|runc))|yOf(?:Month|Week|Year))|e(?:greesToRadians|nseRank|rivative)|iv(?:ide)?|ocumentNumber)|e(?:(?:a|lemMat)ch|q|x(?:ists|p(?:MovingAvg|r)?))|f(?:i(?:lter|rstN?)|loor|unction)|g(?:etField|roup|te?)|(?:hou|xo|yea)r|i(?:fNull|n(?:c|dexOf(?:Array|Bytes|CP)|tegral)?|s(?:Array|Number|o(?:DayOfWeek|Week(?:Year)?)))|jsonSchema|l(?:astN?|et|i(?:ke|(?:nearFil|tera)l)|n|o(?:cf|g(?:10)?)|t(?:e|rim)?)|m(?:a(?:p|xN?)|e(?:dian|rgeObjects|ta)|i(?:llisecond|n(?:N|ute)?)|o(?:d|nth)|ul(?:tiply)?)|n(?:atural|e|in|o[rt])|o(?:bjectToArray|r)|p(?:ercentile|o(?:[pw]|sition)|roject|u(?:ll(?:All)?|sh))|r(?:a(?:diansToDegrees|n(?:[dk]|ge))|e(?:(?:duc|nam)e|gex(?:Find(?:All)?|Match)?|place(?:All|One)|verseArray)|ound|trim)|s(?:(?:ampleRat|lic)e|e(?:cond|t(?:Difference|(?:Equal|WindowField)s|Field|I(?:ntersection|sSubset)|OnInsert|Union)?)|(?:hif|pli|qr)t|i(?:nh?|ze)|ort(?:Array)?|t(?:dDev(?:Po|Sam)p|r(?:Len(?:Bytes|CP)|casecmp))|u(?:b(?:str(?:Bytes|CP)?|tract)|m)|witch)|t(?:anh?|ext|o(?:Bool|D(?:(?:at|oubl)e|ecimal)|HashedIndexKey|Int|Lo(?:ng|wer)|ObjectId|String|U(?:UID|pper)|pN?)|r(?:im|unc)|s(?:Increment|Second)|ype)|unset|w(?:eek|here)|zip)]?", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942320", + "name": "Detects MySQL and PostgreSQL stored procedure/function injections", + "pattern": "(?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942350", + "name": "Detects MySQL UDF injection and other data/structure manipulation attempts", + "pattern": "(?i)create[sx0b]+function[sx0b].+[sx0b]returns|;[sx0b]*?(?:alter|(?:(?:cre|trunc|upd)at|re(?:nam|plac))e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sx0b]*?[([]?[0-9A-Z_a-z]{2,}", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942360", + "name": "Detects concatenated basic SQL injection and SQLLFI attempts", + "pattern": "(?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)b[sx0b]*(?|end[sx0b]*?);)|[sx0b(]load_file[sx0b]*?(|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942500", + "name": "MySQL in-line comment detected", + "pattern": "(?i)/*[sx0b]*?[!+](?:[sx0b()-0-9=A-Z_a-z]+)?*/", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942540", + "name": "SQL Authentication bypass (split query)", + "pattern": "^(?:[^']*'|[^", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "paranoia-level/1", + "capec/1000/152/248/66" + ] + }, + { + "id": "942560", + "name": "MySQL Scientific Notation payload detected", + "pattern": "(?i)1.e(?:[(),]|.[$0-9A-Z_a-z])", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942550", + "name": "JSON-Based SQL Injection", + "pattern": "(?i)[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942120", + "name": "SQL Injection Attack: SQL Operator Detected", + "pattern": "(?i)[!=]=|&&||||->|>[=>]|<(?:[<=]|>(?:[sx0b]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942130", + "name": "SQL Injection Attack: SQL Boolean-based attack detected", + "pattern": "(?i)[sx0b", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942131", + "name": "SQL Injection Attack: SQL Boolean-based attack detected", + "pattern": "(?i)[sx0b", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942150", + "name": "SQL Injection Attack: SQL function name detected", + "pattern": "(?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942180", + "name": "Detects basic SQL authentication bypass attempts 1/3", + "pattern": "(?i)(?:/*)+[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942200", + "name": "Detects MySQL comment-/space-obfuscated injections and backtick termination", + "pattern": "(?i),.*?(?:[)0-9a-f](?:$|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942210", + "name": "Detects chained SQL injection attempts 1/2", + "pattern": "(?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sx0b(]+[0-9A-Z_a-z]+[sx0b)]*?[!+=]+[sx0b0-9]*?[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942260", + "name": "Detects basic SQL authentication bypass attempts 2/3", + "pattern": "(?i)[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942300", + "name": "Detects MySQL comments, conditions and ch(a)r injections", + "pattern": "(?i))[sx0b]*?when[sx0b]*?[0-9]+[sx0b]*?then|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942310", + "name": "Detects chained SQL injection attempts 2/2", + "pattern": "(?i)(?:([sx0b]*?select[sx0b]*?[0-9A-Z_a-z]+|coalesce|order[sx0b]+by[sx0b]+if[0-9A-Z_a-z]*?)[sx0b]*?(|*/from|+[sx0b]*?[0-9]+[sx0b]*?+[sx0b]*?@|[0-9A-Z_a-z][", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942330", + "name": "Detects classic SQL injection probings 1/3", + "pattern": "(?i)[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942340", + "name": "Detects basic SQL authentication bypass attempts 3/3", + "pattern": "(?i)in[sx0b]*?(+[sx0b]*?select|(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[sx0b]+|(?:|||&&)[sx0b]*?)[sx0b+0-9A-Z_a-z]+(?:regexp[sx0b]*?(|sounds[sx0b]+like[sx0b]*?[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942361", + "name": "Detects basic SQL injection based on keyword alter or union", + "pattern": "(?i:^[Wd]+s*?(?:alter|union)b)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942362", + "name": "Detects concatenated basic SQL injection and SQLLFI attempts", + "pattern": "(?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)[sx0b]?(?|end[sx0b]*?);|[sx0b(]load_file[sx0b]*?(|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942370", + "name": "Detects classic SQL injection probings 2/3", + "pattern": "(?i)[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942380", + "name": "SQL Injection Attack", + "pattern": "(?i)b(?:havingb(?:[sx0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[sx0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942390", + "name": "SQL Injection Attack", + "pattern": "(?i)b(?:orb(?:[sx0b]?(?:[0-9]{1,10}|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942400", + "name": "SQL Injection Attack", + "pattern": "(?i)bandb(?:[sx0b]+(?:[0-9]{1,10}[sx0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942410", + "name": "SQL Injection Attack", + "pattern": "(?i)b(?:a(?:(?:b|co)s|vg)|bin|c(?:(?:as|o(?:nver|un))t|h(?:ar(?:set)?|r))|d(?:a(?:te|y)|e(?:fault|grees))|elt|f(?:ield|loor|ormat)|(?:hou|quarte|yea)r|i[fns]|l(?:ast|e(?:ft|ngth)|n|ikelihood|o(?:cal|g|wer))|m(?:ax|in(?:ute)?|o(?:d|nth))|now|p(?:assword|i|o(?:sition|wer))|r(?:awtonhex(?:toraw)?|e(?:p(?:eat|lace)|verse)|ight|ound)|s(?:econd|ign|leep|pace|tddev|um)|t(?:an|ime|o_(?:n?char|(?:day|second)s))|u(?:nlikely|(?:pp|s)er)|v(?:alues|ersion)|week)[^0-9A-Z_a-z]*?(", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942470", + "name": "SQL Injection Attack", + "pattern": "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942480", + "name": "SQL Injection Attack", + "pattern": "(?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942430", + "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)", + "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){12})", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942440", + "name": "SQL Comment Sequence Detected", + "pattern": "/*!?|*/|[';]--|--(?:[sx0b]|[^-]*?-)|[^&-]#.*?[sx0b]|;?x00", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942450", + "name": "SQL Bin or Hex Encoding Identified", + "pattern": "(?i:b0x[a-fd]{3,}|x'[a-fd]{3,}'|b'[0-1]{10,}')", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942510", + "name": "SQLi bypass attempt by ticks or backticks detected", + "pattern": "(?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942520", + "name": "Detects basic SQL authentication bypass attempts 4.0/4", + "pattern": "(?i)[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942521", + "name": "Detects basic SQL authentication bypass attempts 4.1/4", + "pattern": "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942522", + "name": "Detects basic SQL authentication bypass attempts 4.1/4", + "pattern": "^.*?x5c['", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942101", + "name": "SQL Injection Attack Detected via libinjection", + "pattern": "@detectSQLi", + "targets": [ + "uri" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942152", + "name": "SQL Injection Attack: SQL function name detected", + "pattern": "(?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942321", + "name": "Detects MySQL and PostgreSQL stored procedure/function injections", + "pattern": "(?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942251", + "name": "Detects HAVING injections", + "pattern": "(?i)W+d*?s*?bhavingbs*?[^s-]", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942490", + "name": "Detects classic SQL injection probings 3/3", + "pattern": "[", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942420", + "name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)", + "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){8})", + "targets": [ + "headers" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942431", + "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)", + "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){6})", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942460", + "name": "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters", + "pattern": "W{4}", + "targets": [ + "query" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942511", + "name": "SQLi bypass attempt by ticks detected", + "pattern": "(?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942530", + "name": "SQLi query termination detected", + "pattern": "';", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942421", + "name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)", + "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){3})", + "targets": [ + "headers" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + }, + { + "id": "942432", + "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)", + "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){2})", + "targets": [ + "body", + "query" + ], + "action": "block", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ] + } + ] + }, + { + "id": "crs-session-fixation", + "name": "CRS Session Fixation", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Session Fixation (3 rules)", + "author": "OWASP CRS Project", + "priority": 10, + "enabled": true, + "rules": [ + { + "id": "943100", + "name": "Possible Session Fixation Attack: Setting Cookie Values in HTML", + "pattern": "(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "session_fixation", + "enabled": true, + "tags": [ + "attack-fixation", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SESSION-FIXATION", + "capec/1000/225/21/593/61" + ] + }, + { + "id": "943110", + "name": "Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer", + "pattern": "^(?:j(?:se(?:ssionid|rvsession)|wsession)|(?:asp(?:.net_)?session|zend_session_)id|p(?:hpsessi(?:on|d)|lay_session)|(?:(?:w(?:eblogic|l)|rack.|laravel_)sessio|(?:next-auth.session-|meteor_login_)toke)n|s(?:(?:ession[-_]?|ails.s)id|hiny-token)|_(?:session_id|(?:(?:flask|rails)_sessio|_(?:secure|host)-next-auth.session-toke)n)|c(?:f(?:s?id|token)|onnect.sid|akephp|i_session)|koa[.:]sess)$", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "session_fixation", + "enabled": true, + "tags": [ + "attack-fixation", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SESSION-FIXATION", + "capec/1000/225/21/593/61" + ] + }, + { + "id": "943120", + "name": "Possible Session Fixation Attack: SessionID Parameter Name with No Referer", + "pattern": "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect.sid|laravel_session)$", + "targets": [ + "query" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "session_fixation", + "enabled": true, + "tags": [ + "attack-fixation", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SESSION-FIXATION", + "capec/1000/225/21/593/61" + ] + } + ] + }, + { + "id": "crs-java-attack", + "name": "CRS Java / Deserialization Attack", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Java / Deserialization Attack (13 rules)", + "author": "OWASP CRS Project", + "priority": 3, + "enabled": true, + "rules": [ + { + "id": "944100", + "name": "Remote Command Execution: Suspicious Java class detected", + "pattern": "java.lang.(?:runtime|processbuilder)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/137/6" + ] + }, + { + "id": "944110", + "name": "Remote Command Execution: Java process spawn (CVE-2017-9805)", + "pattern": "(?:runtime|processbuilder)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944120", + "name": "Remote Command Execution: Java serialization (CVE-2015-4852)", + "pattern": "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944140", + "name": "Java Injection Attack: Java Script File Upload Found", + "pattern": ".*.(?:jsp|jspx).*$", + "targets": [ + "headers" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-injection-java", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/242" + ] + }, + { + "id": "944150", + "name": "Potential Remote Command Execution: Log4j / Log4shell", + "pattern": "(?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/137/6" + ] + }, + { + "id": "944151", + "name": "Potential Remote Command Execution: Log4j / Log4shell", + "pattern": "(?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/137/6" + ] + }, + { + "id": "944200", + "name": "Magic bytes Detected, probable java serialization in use", + "pattern": "xacxedx00x05", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944210", + "name": "Magic bytes Detected Base64 Encoded, probable java serialization in use", + "pattern": "(?:rO0ABQ|KztAAU|Cs7QAF)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944240", + "name": "Remote Command Execution: Java serialization (CVE-2015-4852)", + "pattern": "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944250", + "name": "Remote Command Execution: Suspicious Java method detected", + "pattern": "javab.+(?:runtime|processbuilder)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944260", + "name": "Remote Command Execution: Malicious class-loading payload", + "pattern": "(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944300", + "name": "Base64 encoded string matched suspicious keyword", + "pattern": "(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ] + }, + { + "id": "944152", + "name": "Potential Remote Command Execution: Log4j / Log4shell", + "pattern": "(?i)(?:$|$?)(?:{|&l(?:brace|cub);?)", + "targets": [ + "all" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/137/6" + ] + } + ] + }, + { + "id": "crs-data-leakage", + "name": "CRS Data Leakage Detection", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Data Leakage Detection (3 rules)", + "author": "OWASP CRS Project", + "priority": 15, + "enabled": true, + "rules": [ + { + "id": "950130", + "name": "Directory Listing", + "pattern": "(?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES", + "capec/1000/118/116/54/127" + ] + }, + { + "id": "950140", + "name": "CGI source code leakage", + "pattern": "^#!s?/", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES", + "capec/1000/118/116" + ] + }, + { + "id": "950100", + "name": "The Application Returned a 500-Level Status Code", + "pattern": "^5d{2}$", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES", + "capec/1000/152" + ] + } + ] + }, + { + "id": "crs-data-leakage-sql", + "name": "CRS SQL Data Leakage", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS SQL Data Leakage (16 rules)", + "author": "OWASP CRS Project", + "priority": 15, + "enabled": true, + "rules": [ + { + "id": "951110", + "name": "Microsoft Access SQL Information Leakage", + "pattern": "(?i)(?:JET|Access) Database Engine|[Microsoft][ODBC Microsoft Access Driver]", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951120", + "name": "Oracle SQL Information Leakage", + "pattern": "(?i)bORA-[0-9][0-9][0-9][0-9][0-9]:|java.sql.SQLException|Oracle(?: erro|[^()]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951130", + "name": "DB2 SQL Information Leakage", + "pattern": "(?i)DB2 SQL error|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|db2_[0-9A-Z_a-z]+()", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951140", + "name": "EMC SQL Information Leakage", + "pattern": "(?i)[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951150", + "name": "firebird SQL Information Leakage", + "pattern": "(?i)Dynamic SQL Error", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951160", + "name": "Frontbase SQL Information Leakage", + "pattern": "(?i)Exception (?:condition )?d+. Transaction rollback.", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951170", + "name": "hsqldb SQL Information Leakage", + "pattern": "(?i)org.hsqldb.jdbc", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951180", + "name": "informix SQL Information Leakage", + "pattern": "(?i)An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951190", + "name": "ingres SQL Information Leakage", + "pattern": "(?i)Warning.*ingres_|Ingres(?: SQLSTATE|[^0-9A-Z_a-z].*Driver)", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951200", + "name": "interbase SQL Information Leakage", + "pattern": "(?i)Warning: ibase_|Unexpected end of command in statement", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951210", + "name": "maxDB SQL Information Leakage", + "pattern": "(?i)Warning.{1,10}maxdb[():_a-z]{1,26}:", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951220", + "name": "mssql SQL Information Leakage", + "pattern": "(?i)S(?:y(?:stem.Data.(?:OleDb.OleDb|SqlClient.Sql)Except|ntax error (?:in string|.*) in query express)ion|intaxis incorrecta cerca de)|[(?:SqlException|M(?:icrosoft][ODBC SQL Server|acromedia][SQLServer JDBC) Driver])|(?:Exception.*[^0-9A-Z_a-z]System.Data.SqlClie|Conversion failed when converting the varchar value .*? to data type i)nt.|D(?:river.*SQL[ -_]*Server|ata type mismatch in criteria expression.)|Microsoft OLE DB Provider for (?:ODBC Drivers|SQL Server)|(?:(?:OLE DB.*SQL Serv|Procedure or function '.{1,128}' expects paramet)e|Incorrect syntax nea)r|Unclosed quotation mark (?:after|before) the character string|'80040e14'|(?:ADODB.Field (0x800A0BCD|mssql_query())|the used select statements have different number of columns|Warning.*mssql_.*", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951230", + "name": "mysql SQL Information Leakage", + "pattern": "(?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[()_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951240", + "name": "postgres SQL Information Leakage", + "pattern": "(?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)() [|org.postgresql.util.PSQLException):|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951250", + "name": "sqlite SQL Information Leakage", + "pattern": "(?i)Warning.*(?:sqlite_|SQLite3::)|S(?:QLite(?:/JDBCDriver|.Exception)|ystem.Data.SQLite.SQLiteException)", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + }, + { + "id": "951260", + "name": "Sybase SQL Information Leakage", + "pattern": "(?i)Sybase(?: message:|.*Server message)|Warning.{2,20}sybase", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-SQL", + "capec/1000/118/116/54" + ] + } + ] + }, + { + "id": "crs-data-leakage-java", + "name": "CRS Java Data Leakage", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Java Data Leakage (1 rules)", + "author": "OWASP CRS Project", + "priority": 15, + "enabled": true, + "rules": [ + { + "id": "952110", + "name": "Java Errors", + "pattern": "(?i)b(?:java[.a-z]+E(?:xception|rror)|(?:org|com).[.a-z]+Exception|Exception in thread ", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-JAVA", + "capec/1000/118/116" + ] + } + ] + }, + { + "id": "crs-data-leakage-php", + "name": "CRS PHP Data Leakage", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS PHP Data Leakage (3 rules)", + "author": "OWASP CRS Project", + "priority": 15, + "enabled": true, + "rules": [ + { + "id": "953110", + "name": "PHP source code leakage", + "pattern": "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-PHP", + "capec/1000/118/116" + ] + }, + { + "id": "953120", + "name": "PHP source code leakage", + "pattern": "(?i).{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error.

|cannot connect to the server: timed out)", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-IIS", + "capec/1000/118/116" + ] + }, + { + "id": "954130", + "name": "IIS Information Leakage", + "pattern": "^404$", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-IIS", + "capec/1000/118/116" + ] + }, + { + "id": "954101", + "name": "Disclosure of IIS install location", + "pattern": "(?i)[x5c/]inetpubb", + "targets": [ + "body" + ], + "action": "block", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-IIS", + "capec/1000/118/116" + ] + } + ] + }, + { + "id": "crs-web-shells", + "name": "CRS Web Shell Detection", + "version": "4.24.0", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.0 — CRS Web Shell Detection (23 rules)", + "author": "OWASP CRS Project", + "priority": 3, + "enabled": true, + "rules": [ + { + "id": "955110", + "name": "r57 web shell", + "pattern": "r57 Shell Version [0-9.]+|r57 shell", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955120", + "name": "WSO web shell", + "pattern": "^.*?(?: -)? W[Ss][Oo] [0-9.]+", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955130", + "name": "b4tm4n web shell", + "pattern": "B4TM4N SH3LL[^<]*", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955140", + "name": "Mini Shell web shell", + "pattern": "Mini Shell[^D]*Developed By LameHacker", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955150", + "name": "Ashiyane web shell", + "pattern": ".:: [^~]*~ Ashiyane V [0-9.]+ ::.", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955160", + "name": "Symlink_Sa web shell", + "pattern": "Symlink_Sa [0-9.]+", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955170", + "name": "CasuS web shell", + "pattern": "CasuS [0-9.]+ by MafiABoY", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955180", + "name": "GRP WebShell", + "pattern": "^rnrnGRP WebShell [0-9.]+ ", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955190", + "name": "NGHshell web shell", + "pattern": "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955200", + "name": "SimAttacker web shell", + "pattern": "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - ", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955210", + "name": "Unknown web shell", + "pattern": "^<!DOCTYPE html>n<html>n<!-- By Artyum [^<]*<title>Web Shell", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955220", + "name": "lama", + "pattern": "lama's'hell v. [0-9.]+", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955230", + "name": "lostDC web shell", + "pattern": "^ *n[ ]+n[ ]+lostDC - ", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955240", + "name": "Unknown web shell", + "pattern": "^<title>PHP Web Shellrnrnrn ", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955250", + "name": "Unknown web shell", + "pattern": "^nn
nnRu24PostWebShell ", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955270", + "name": "s72 Shell web shell", + "pattern": "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955280", + "name": "PhpSpy web shell", + "pattern": "^rnrnnnnng00nshell v[0-9.]+ ", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955310", + "name": "azrail web shell", + "pattern": "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M", + "targets": [ + "body" + ], + "action": "block", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/1", + "OWASP_CRS", + "OWASP_CRS/WEB-SHELLS", + "capec/1000/225/122/17/650" + ] + }, + { + "id": "955320", + "name": "SmEvK_PaThAn Shell web shell", + "pattern": ">SmEvK_PaThAn Shell v[0-9]+ coded by n[^~]*~ Shell Inn