diff --git a/rulesets.json b/rulesets.json index 3c3234b..b9aecda 100644 --- a/rulesets.json +++ b/rulesets.json @@ -108,7 +108,7 @@ "name": "CRS Protocol Enforcement", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS Protocol Enforcement (30 rules)", + "description": "OWASP CRS v4.24.0 — CRS Protocol Enforcement (17 rules)", "author": "OWASP CRS Project", "priority": 15, "enabled": true, @@ -174,66 +174,6 @@ ] }, { - "id": "920170", - "name": "GET or HEAD Request with Body Content", - "pattern": "^(?:GET|HEAD)$", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { - "id": "920171", - "name": "GET or HEAD Request with Transfer-Encoding", - "pattern": "^(?:GET|HEAD)$", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { - "id": "920190", - "name": "Range: Invalid Last Byte Value", - "pattern": "(\\d+)-(\\d+)", - "targets": [ - "headers" - ], - "action": "block", - "score": 5, - "severity": "medium", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { "id": "920210", "name": "Multiple/Conflicting Connection Header Data Found", "pattern": "\\b(?:keep-alive|close),\\s?(?:keep-alive|close)\\b", @@ -295,46 +235,6 @@ ] }, { - "id": "920310", - "name": "Request Has an Empty Accept Header", - "pattern": "^$", - "targets": [ - "headers" - ], - "action": "block", - "score": 3, - "severity": "low", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { - "id": "920311", - "name": "Request Has an Empty Accept Header", - "pattern": "^$", - "targets": [ - "headers" - ], - "action": "block", - "score": 3, - "severity": "low", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { "id": "920330", "name": "Empty User Agent Header", "pattern": "^$", @@ -355,26 +255,6 @@ ] }, { - "id": "920340", - "name": "Content-Type header missing from request with non-zero Content-Length", - "pattern": "^0$", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { "id": "920350", "name": "Host header is a numeric IP address", "pattern": "(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)", @@ -415,46 +295,6 @@ ] }, { - "id": "920420", - "name": "Request content type is not allowed by policy", - "pattern": "^[^;\\s]+", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/255/153" - ] - }, - { - "id": "920480", - "name": "Request content type charset is not allowed by policy", - "pattern": "charset\\s*=\\s*[\"']?([^;\"'\\s]+)", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/255/153" - ] - }, - { "id": "920530", "name": "Multiple charsets detected in content type header", "pattern": "charset.*?charset", @@ -475,26 +315,6 @@ ] }, { - "id": "920440", - "name": "URL file extension is restricted by policy", - "pattern": "\\.([^.]+)$", - "targets": [ - "uri" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { "id": "920500", "name": "Attempt to access a backup or working file", "pattern": "\\.[^.~]+~(?:/.*|)$", @@ -515,26 +335,6 @@ ] }, { - "id": "920450", - "name": "HTTP header is restricted by policy (%{MATCHED_VAR})", - "pattern": "^.*$", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { "id": "920600", "name": "Illegal Accept header: charset parameter", "pattern": "^(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\x0b]*,[\\s\\x0b]*(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*$", @@ -554,26 +354,6 @@ ] }, { - "id": "920200", - "name": "Range: Too many fields (6 or more)", - "pattern": "^bytes=(?:(?:\\d+)?-(?:\\d+)?\\s*,?\\s*){6}", - "targets": [ - "headers" - ], - "action": "block", - "score": 5, - "severity": "medium", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { "id": "920230", "name": "Multiple URL Encoding Detected", "pattern": "%[0-9a-fA-F]{2}", @@ -614,46 +394,6 @@ ] }, { - "id": "920451", - "name": "HTTP header is restricted by policy (%{MATCHED_VAR})", - "pattern": "^.*$", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/210/272" - ] - }, - { - "id": "920240", - "name": "URL Encoding Abuse Attack Attempt", - "pattern": "^(?i)application/x-www-form-urlencoded", - "targets": [ - "headers" - ], - "action": "block", - "score": 5, - "severity": "medium", - "category": "protocol", - "enabled": true, - "tags": [ - "attack-protocol", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/PROTOCOL-ENFORCEMENT", - "capec/1000/255/153/267/72" - ] - }, - { "id": "920521", "name": "Illegal Accept-Encoding header", "pattern": "br|compress|deflate|(?:pack200-)?gzip|identity|\\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)", @@ -1138,7 +878,7 @@ "name": "CRS Remote File Inclusion (RFI)", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS Remote File Inclusion (RFI) (5 rules)", + "description": "OWASP CRS v4.24.0 — CRS Remote File Inclusion (RFI) (4 rules)", "author": "OWASP CRS Project", "priority": 5, "enabled": true, @@ -1206,26 +946,6 @@ ] }, { - "id": "931130", - "name": "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link", - "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://?(?:[^@]+@)?([^/]*)", - "targets": [ - "query" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "rfi", - "enabled": true, - "tags": [ - "attack-rfi", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-RFI", - "capec/1000/152/175/253" - ] - }, - { "id": "931131", "name": "Possible Remote File Inclusion (RFI) Attack", "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)", @@ -1252,7 +972,7 @@ "name": "CRS Remote Code Execution (RCE)", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS Remote Code Execution (RCE) (42 rules)", + "description": "OWASP CRS v4.24.0 — CRS Remote Code Execution (RCE) (37 rules)", "author": "OWASP CRS Project", "priority": 3, "enabled": true, @@ -1639,86 +1359,6 @@ ] }, { - "id": "932200", - "name": "RCE Bypass Technique", - "pattern": "['\\*\\?\\x5c`][^\\n/]+/|/[^/]+?['\\*\\?\\x5c`]|\\$[!#\\$\\(\\*\\-0-9\\?-\\[_a-\\{]", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "rce", - "enabled": true, - "tags": [ - "attack-rce", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-RCE", - "capec/1000/152/248/88" - ] - }, - { - "id": "932205", - "name": "RCE Bypass Technique", - "pattern": "^[^#]+", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "rce", - "enabled": true, - "tags": [ - "attack-rce", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-RCE", - "capec/1000/152/248/88" - ] - }, - { - "id": "932206", - "name": "RCE Bypass Technique", - "pattern": "^[^\\.]*?(?:['\\*\\?\\x5c`][^\\n/]+/|/[^/]+?['\\*\\?\\x5c`]|\\$[!#\\$\\(\\*\\-0-9\\?-\\[_a-\\{])", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "rce", - "enabled": true, - "tags": [ - "attack-rce", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-RCE", - "capec/1000/152/248/88" - ] - }, - { - "id": "932207", - "name": "RCE Bypass Technique", - "pattern": "#.*", - "targets": [ - "headers" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "rce", - "enabled": true, - "tags": [ - "attack-rce", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-RCE", - "capec/1000/152/248/88" - ] - }, - { "id": "932220", "name": "Remote Command Execution: Unix Command Injection with pipe", "pattern": "(?i).\\|(?:[\\s\\x0b]*|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[arx][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:G[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?E[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?T|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[89][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?9|[au][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|c|(?:m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[dfu]|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[gr])|f[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[cgi]|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[dp]|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b)|j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|q)|k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|v)|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[cl]|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?m)|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[cr]|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[ex]|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:3[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|c)|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|z)|y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h))[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:[bdx]|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|q[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:[nps]|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:4[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[dv]|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[dt]|[ghu]|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?))[\\s\\x0b&\\),<>\\|].*|a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?-[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:(?:b|(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?t|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[ks])[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[jp][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)[\\s\\x0b&\\),<>\\|].*)|g[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|[hr][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|o|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?g)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*)|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:(?:[at][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|f|(?:k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?g|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)[\\s\\x0b&\\),<>\\|].*|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10}))))", @@ -1739,26 +1379,6 @@ ] }, { - "id": "932240", - "name": "Remote Command Execution: Unix Command Injection evasion attempt detected", - "pattern": "(?i)[\\-0-9_a-z]+(?:[\\s\\x0b]*[\"'][^\\s\\x0b\"',:]+[\"']|(?:[\"'][\"']+|[\\[-\\]]+|\\$+[!#\\*\\-0-9\\?@\\x5c_a-\\{]+|``|[\\$<>]\\(\\))[\\s\\x0b]*)[\\-0-9_a-z]+", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "rce", - "enabled": true, - "tags": [ - "attack-rce", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-RCE", - "capec/1000/152/248/88" - ] - }, - { "id": "932281", "name": "Remote Command Execution: Brace Expansion Found", "pattern": "\\{[^\\s\\x0b,:\\}]*,[^\\s\\x0b]*\\}", @@ -2676,7 +2296,7 @@ "name": "CRS Cross-Site Scripting (XSS)", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS Cross-Site Scripting (XSS) (31 rules)", + "description": "OWASP CRS v4.24.0 — CRS Cross-Site Scripting (XSS) (30 rules)", "author": "OWASP CRS Project", "priority": 5, "enabled": true, @@ -3062,26 +2682,6 @@ ] }, { - "id": "941310", - "name": "US-ASCII Malformed Encoding XSS Filter - Attack Detected", - "pattern": "\\xbc[^\\xbe>]*[\\xbe>]|<[^\\xbe]*\\xbe", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "xss", - "enabled": true, - "tags": [ - "attack-xss", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/ATTACK-XSS", - "capec/1000/152/242" - ] - }, - { "id": "941350", "name": "UTF-7 Encoding IE XSS - Attack Detected", "pattern": "\\+ADw-.*(?:\\+AD4-|>)|<.*\\+AD4-", @@ -3309,7 +2909,7 @@ "name": "CRS SQL Injection (SQLi)", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS SQL Injection (SQLi) (60 rules)", + "description": "OWASP CRS v4.24.0 — CRS SQL Injection (SQLi) (56 rules)", "author": "OWASP CRS Project", "priority": 3, "enabled": true, @@ -3735,48 +3335,6 @@ ] }, { - "id": "942130", - "name": "SQL Injection Attack: SQL Boolean-based attack detected", - "pattern": "(?i)[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b[\\s\\x0b\"'-\\)`]*?(?:=|<=>|(?:sounds[\\s\\x0b]+)?like|glob|r(?:like|egexp))[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b", - "targets": [ - "body", - "query" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "sqli", - "enabled": true, - "tags": [ - "attack-sqli", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-SQLI", - "capec/1000/152/248/66" - ] - }, - { - "id": "942131", - "name": "SQL Injection Attack: SQL Boolean-based attack detected", - "pattern": "(?i)[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b[\\s\\x0b\"'-\\)`]*?(?:![<->]|<[=>]?|>=?|\\^|is[\\s\\x0b]+not|not[\\s\\x0b]+(?:like|r(?:like|egexp)))[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b", - "targets": [ - "body", - "query" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "sqli", - "enabled": true, - "tags": [ - "attack-sqli", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-SQLI", - "capec/1000/152/248/66" - ] - }, - { "id": "942150", "name": "SQL Injection Attack: SQL function name detected", "pattern": "(?i)\\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\\(", @@ -4158,26 +3716,6 @@ ] }, { - "id": "942440", - "name": "SQL Comment Sequence Detected", - "pattern": "/\\*!?|\\*/|[';]--|--(?:[\\s\\x0b]|[^\\-]*?-)|[^&\\-]#.*?[\\s\\x0b]|;?\\x00", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "sqli", - "enabled": true, - "tags": [ - "attack-sqli", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-SQLI", - "capec/1000/152/248/66" - ] - }, - { "id": "942450", "name": "SQL Bin or Hex Encoding Identified", "pattern": "(?i:\\b0x[a-f\\d]{3,}|x\\'[a-f\\d]{3,}\\'|b\\'[0-1]{10,}\\')", @@ -4238,26 +3776,6 @@ ] }, { - "id": "942521", - "name": "Detects basic SQL authentication bypass attempts 4.1/4", - "pattern": "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[\\s\\x0b]*([0-9A-Z_a-z]+)\\b", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "sqli", - "enabled": true, - "tags": [ - "attack-sqli", - "paranoia-level/2", - "OWASP_CRS", - "OWASP_CRS/ATTACK-SQLI", - "capec/1000/152/248/66" - ] - }, - { "id": "942522", "name": "Detects basic SQL authentication bypass attempts 4.1/4", "pattern": "^.*?\\x5c['\"`](?:.*?['\"`])?\\s*(?:and|or)\\b", @@ -4527,7 +4045,7 @@ "name": "CRS Session Fixation", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS Session Fixation (3 rules)", + "description": "OWASP CRS v4.24.0 — CRS Session Fixation (1 rules)", "author": "OWASP CRS Project", "priority": 10, "enabled": true, @@ -4551,46 +4069,6 @@ "OWASP_CRS/ATTACK-SESSION-FIXATION", "capec/1000/225/21/593/61" ] - }, - { - "id": "943110", - "name": "Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer", - "pattern": "^(?:j(?:se(?:ssionid|rvsession)|wsession)|(?:asp(?:\\.net_)?session|zend_session_)id|p(?:hpsessi(?:on|d)|lay_session)|(?:(?:w(?:eblogic|l)|rack\\.|laravel_)sessio|(?:next-auth\\.session-|meteor_login_)toke)n|s(?:(?:ession[\\-_]?|ails\\.s)id|hiny-token)|_(?:session_id|(?:(?:flask|rails)_sessio|_(?:secure|host)-next-auth\\.session-toke)n)|c(?:f(?:s?id|token)|onnect\\.sid|akephp|i_session)|koa[\\.:]sess)$", - "targets": [ - "query" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "session_fixation", - "enabled": true, - "tags": [ - "attack-fixation", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/ATTACK-SESSION-FIXATION", - "capec/1000/225/21/593/61" - ] - }, - { - "id": "943120", - "name": "Possible Session Fixation Attack: SessionID Parameter Name with No Referer", - "pattern": "^(?:jsessionid|aspsessionid|asp\\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\\.sid|laravel_session)$", - "targets": [ - "query" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "session_fixation", - "enabled": true, - "tags": [ - "attack-fixation", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/ATTACK-SESSION-FIXATION", - "capec/1000/225/21/593/61" - ] } ] }, @@ -4599,7 +4077,7 @@ "name": "CRS Java / Deserialization Attack", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS Java / Deserialization Attack (13 rules)", + "description": "OWASP CRS v4.24.0 — CRS Java / Deserialization Attack (11 rules)", "author": "OWASP CRS Project", "priority": 3, "enabled": true, @@ -4625,46 +4103,6 @@ ] }, { - "id": "944110", - "name": "Remote Command Execution: Java process spawn (CVE-2017-9805)", - "pattern": "(?:runtime|processbuilder)", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "deserialization", - "enabled": true, - "tags": [ - "attack-rce", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/ATTACK-JAVA", - "capec/1000/152/248" - ] - }, - { - "id": "944120", - "name": "Remote Command Execution: Java serialization (CVE-2015-4852)", - "pattern": "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)", - "targets": [ - "all" - ], - "action": "block", - "score": 10, - "severity": "critical", - "category": "deserialization", - "enabled": true, - "tags": [ - "attack-rce", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/ATTACK-JAVA", - "capec/1000/152/248" - ] - }, - { "id": "944140", "name": "Java Injection Attack: Java Script File Upload Found", "pattern": ".*\\.(?:jsp|jspx)\\.*$", @@ -5379,7 +4817,7 @@ "name": "CRS IIS Data Leakage", "version": "4.24.0", "source": "owasp-crs", - "description": "OWASP CRS v4.24.0 — CRS IIS Data Leakage (4 rules)", + "description": "OWASP CRS v4.24.0 — CRS IIS Data Leakage (3 rules)", "author": "OWASP CRS Project", "priority": 15, "enabled": true, @@ -5425,26 +4863,6 @@ ] }, { - "id": "954130", - "name": "IIS Information Leakage", - "pattern": "^404$", - "targets": [ - "body" - ], - "action": "block", - "score": 8, - "severity": "high", - "category": "data_leakage", - "enabled": true, - "tags": [ - "attack-disclosure", - "paranoia-level/1", - "OWASP_CRS", - "OWASP_CRS/DATA-LEAKAGES-IIS", - "capec/1000/118/116" - ] - }, - { "id": "954101", "name": "Disclosure of IIS install location", "pattern": "(?i)[\\x5c/]inetpub\\b",