Andre/edgeguard-owasp-feed
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d8d8e32cc5049fa05ddeb8d94a668b7a04900868
edgeguard-owasp-feed/rulesets.json
Andre Bolinhas d8d8e32cc5 rulesets.json
2026-03-06 16:44:24 +00:00

5975 lines
221 KiB
JSON
Raw Blame History

{
"owasp_top_10": {
"version": "2025",
"url": "https://owasp.org/Top10/2025/",
"items": [
{
"id": "A01",
"name": "Broken Access Control",
"categories": [
"lfi",
"rfi",
"open_redirect",
"ssrf"
],
"color": "red"
},
{
"id": "A02",
"name": "Security Misconfiguration",
"categories": [
"xxe",
"protocol",
"header_injection"
],
"color": "orange"
},
{
"id": "A03",
"name": "Software Supply Chain Failures",
"categories": [
"log4shell",
"rce",
"cve",
"deserialization"
],
"color": "red"
},
{
"id": "A04",
"name": "Cryptographic Failures",
"categories": [
"protocol"
],
"color": "orange"
},
{
"id": "A05",
"name": "Injection",
"categories": [
"sqli",
"xss",
"nosqli",
"ldapi",
"cmdi",
"ssti",
"log_injection"
],
"color": "red"
},
{
"id": "A06",
"name": "Insecure Design",
"categories": [
"ssti",
"prototype_pollution"
],
"color": "yellow"
},
{
"id": "A07",
"name": "Authentication Failures",
"categories": [
"session_fixation"
],
"color": "orange"
},
{
"id": "A08",
"name": "Software & Data Integrity Failures",
"categories": [
"deserialization"
],
"color": "orange"
},
{
"id": "A09",
"name": "Security Logging & Alerting Failures",
"categories": [
"log_injection",
"data_leakage"
],
"color": "yellow"
},
{
"id": "A10",
"name": "Mishandling of Exceptional Conditions",
"categories": [
"protocol",
"custom"
],
"color": "yellow"
}
]
},
"rulesets": [
{
"id": "crs-protocol-enforcement",
"name": "CRS Protocol Enforcement",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Protocol Enforcement (30 rules)",
"author": "OWASP CRS Project",
"priority": 15,
"enabled": true,
"rules": [
{
"id": "920100",
"name": "Invalid HTTP Request Line",
"pattern": "(?i)^(?:get /[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sx0b]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?)[sx0b]+[.-9A-Z_a-z]+)$",
"targets": [
"uri"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920120",
"name": "Attempted multipart/form-data bypass",
"pattern": "(?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920160",
"name": "Content-Length HTTP header is not numeric",
"pattern": "^d+$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920170",
"name": "GET or HEAD Request with Body Content",
"pattern": "^(?:GET|HEAD)$",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920171",
"name": "GET or HEAD Request with Transfer-Encoding",
"pattern": "^(?:GET|HEAD)$",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920190",
"name": "Range: Invalid Last Byte Value",
"pattern": "(d+)-(d+)",
"targets": [
"headers"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920210",
"name": "Multiple/Conflicting Connection Header Data Found",
"pattern": "b(?:keep-alive|close),s?(?:keep-alive|close)b",
"targets": [
"headers"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920260",
"name": "Unicode Full/Half Width Abuse Attack Attempt",
"pattern": "(?i)%uff[0-9a-f]{2}",
"targets": [
"body",
"uri"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153/267/72"
]
},
{
"id": "920290",
"name": "Empty Host Header",
"pattern": "^$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920310",
"name": "Request Has an Empty Accept Header",
"pattern": "^$",
"targets": [
"headers"
],
"action": "block",
"score": 3,
"severity": "low",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920311",
"name": "Request Has an Empty Accept Header",
"pattern": "^$",
"targets": [
"headers"
],
"action": "block",
"score": 3,
"severity": "low",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920330",
"name": "Empty User Agent Header",
"pattern": "^$",
"targets": [
"headers"
],
"action": "block",
"score": 3,
"severity": "low",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920340",
"name": "Content-Type header missing from request with non-zero Content-Length",
"pattern": "^0$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920350",
"name": "Host header is a numeric IP address",
"pattern": "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)",
"targets": [
"headers"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920470",
"name": "Illegal Content-Type header",
"pattern": "^[w/.+*-]+(?:s?;s*(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153"
]
},
{
"id": "920420",
"name": "Request content type is not allowed by policy",
"pattern": "^[^;s]+",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153"
]
},
{
"id": "920480",
"name": "Request content type charset is not allowed by policy",
"pattern": "charsets*=s*[",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153"
]
},
{
"id": "920530",
"name": "Multiple charsets detected in content type header",
"pattern": "charset.*?charset",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153"
]
},
{
"id": "920440",
"name": "URL file extension is restricted by policy",
"pattern": ".([^.]+)$",
"targets": [
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920500",
"name": "Attempt to access a backup or working file",
"pattern": ".[^.~]+~(?:/.*|)$",
"targets": [
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920450",
"name": "HTTP header is restricted by policy (%{MATCHED_VAR})",
"pattern": "^.*$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920600",
"name": "Illegal Accept header: charset parameter",
"pattern": "^(?:(?:*|[^!",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT"
]
},
{
"id": "920200",
"name": "Range: Too many fields (6 or more)",
"pattern": "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}",
"targets": [
"headers"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920230",
"name": "Multiple URL Encoding Detected",
"pattern": "%[0-9a-fA-F]{2}",
"targets": [
"query"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153/267/120"
]
},
{
"id": "920121",
"name": "Attempted multipart/form-data bypass",
"pattern": "['",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920451",
"name": "HTTP header is restricted by policy (%{MATCHED_VAR})",
"pattern": "^.*$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920240",
"name": "URL Encoding Abuse Attack Attempt",
"pattern": "^(?i)application/x-www-form-urlencoded",
"targets": [
"headers"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153/267/72"
]
},
{
"id": "920521",
"name": "Illegal Accept-Encoding header",
"pattern": "br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/255/153"
]
},
{
"id": "920275",
"name": "Invalid character in request headers (outside of very strict set)",
"pattern": "^(?:?[01])?$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/4",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/210/272"
]
},
{
"id": "920460",
"name": "Abnormal character escapes in request",
"pattern": "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/4",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ENFORCEMENT",
"capec/1000/153/267"
]
}
]
},
{
"id": "crs-protocol-attack",
"name": "CRS Protocol Attack (HTTP Smuggling)",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Protocol Attack (HTTP Smuggling) (14 rules)",
"author": "OWASP CRS Project",
"priority": 5,
"enabled": true,
"rules": [
{
"id": "921110",
"name": "HTTP Request Smuggling Attack",
"pattern": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d",
"targets": [
"body",
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/33"
]
},
{
"id": "921120",
"name": "HTTP Response Splitting Attack",
"pattern": "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/34"
]
},
{
"id": "921130",
"name": "HTTP Response Splitting Attack",
"pattern": "(?:bhttp/d|<(?:html|meta)b)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/34"
]
},
{
"id": "921140",
"name": "HTTP Header Injection Attack via headers",
"pattern": "[nr]",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/273"
]
},
{
"id": "921150",
"name": "HTTP Header Injection Attack via payload (CR/LF detected)",
"pattern": "[nr]",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/33"
]
},
{
"id": "921160",
"name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)",
"pattern": "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/33"
]
},
{
"id": "921190",
"name": "HTTP Splitting (CR/LF in request filename detected)",
"pattern": "[nr]",
"targets": [
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/34"
]
},
{
"id": "921200",
"name": "LDAP Injection Attack",
"pattern": "^[^!&():<>|~]*)[sx0b]*(?:((?:[^!&(),<->|~]+[<>~]?=|[sx0b]*[!&|][sx0b]*[()]?[sx0b]*)|)[sx0b]*([sx0b]*[!&|][sx0b]*|[!&|][sx0b]*([^!&(),<->|~]+[<>~]?=[^!&():<>|~]*)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/152/248/136"
]
},
{
"id": "921421",
"name": "Content-Type header: Dangerous content type outside the mime type declaration",
"pattern": "^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/255/153"
]
},
{
"id": "921240",
"name": "mod_proxy attack attempt detected",
"pattern": "unix:[^|]*|",
"targets": [
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/33"
]
},
{
"id": "921151",
"name": "HTTP Header Injection Attack via payload (CR/LF detected)",
"pattern": "[nr]",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/210/272/220/33"
]
},
{
"id": "921422",
"name": "Content-Type header: Dangerous content type outside the mime type declaration",
"pattern": "^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/255/153"
]
},
{
"id": "921210",
"name": "HTTP Parameter Pollution after detecting bogus char after parameter array",
"pattern": "(][^]]+$|][^]]+[)",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/152/137/15/460"
]
},
{
"id": "921220",
"name": "HTTP Parameter Pollution possible via array notation",
"pattern": "[",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-protocol",
"paranoia-level/4",
"OWASP_CRS",
"OWASP_CRS/PROTOCOL-ATTACK",
"capec/1000/152/137/15/460"
]
}
]
},
{
"id": "crs-multipart-attack",
"name": "CRS Multipart Attack",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Multipart Attack (3 rules)",
"author": "OWASP CRS Project",
"priority": 10,
"enabled": true,
"rules": [
{
"id": "922110",
"name": "Illegal MIME Multipart Header content-type: charset parameter",
"pattern": "^(?:(?:*|[^!",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-multipart-header",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/MULTIPART-ATTACK",
"capec/272/220"
]
},
{
"id": "922120",
"name": "Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used",
"pattern": "content-transfer-encoding:(.*)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-multipart-header",
"attack-deprecated-header",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/MULTIPART-ATTACK",
"capec/272/220"
]
},
{
"id": "922130",
"name": "Multipart header contains characters outside of valid range",
"pattern": "[^x21-x7E][x21-x39x3B-x7E]*:",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "protocol",
"enabled": true,
"tags": [
"attack-multipart-header",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/MULTIPART-ATTACK",
"capec/272/220"
]
}
]
},
{
"id": "crs-lfi",
"name": "CRS Local File Inclusion (LFI)",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Local File Inclusion (LFI) (2 rules)",
"author": "OWASP CRS Project",
"priority": 5,
"enabled": true,
"rules": [
{
"id": "930100",
"name": "Path Traversal Attack (/../) or (/.../)",
"pattern": "(?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[01]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "lfi",
"enabled": true,
"tags": [
"attack-lfi",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-LFI",
"capec/1000/255/153/126"
]
},
{
"id": "930110",
"name": "Path Traversal Attack (/../) or (/.../)",
"pattern": "(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}[x5c/;])",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "lfi",
"enabled": true,
"tags": [
"attack-lfi",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-LFI",
"capec/1000/255/153/126"
]
}
]
},
{
"id": "crs-rfi",
"name": "CRS Remote File Inclusion (RFI)",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Remote File Inclusion (RFI) (5 rules)",
"author": "OWASP CRS Project",
"priority": 5,
"enabled": true,
"rules": [
{
"id": "931100",
"name": "Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address",
"pattern": "(?i)^(file|ftps?|https?|ssh)://(?:[?[a-f0-9]+:[a-f0-9:]+]?|d{1,3}.d{1,3}.d{1,3}.d{1,3})",
"targets": [
"body",
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rfi",
"enabled": true,
"tags": [
"attack-rfi",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RFI",
"capec/1000/152/175/253"
]
},
{
"id": "931110",
"name": "Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload",
"pattern": "(?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://",
"targets": [
"body",
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rfi",
"enabled": true,
"tags": [
"attack-rfi",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RFI",
"capec/1000/152/175/253"
]
},
{
"id": "931120",
"name": "Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)",
"pattern": "^(?i:file|ftps?|https?).*??+$",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rfi",
"enabled": true,
"tags": [
"attack-rfi",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RFI",
"capec/1000/152/175/253"
]
},
{
"id": "931130",
"name": "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link",
"pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://?(?:[^@]+@)?([^/]*)",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rfi",
"enabled": true,
"tags": [
"attack-rfi",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RFI",
"capec/1000/152/175/253"
]
},
{
"id": "931131",
"name": "Possible Remote File Inclusion (RFI) Attack",
"pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)",
"targets": [
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rfi",
"enabled": true,
"tags": [
"attack-rfi",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RFI",
"capec/1000/152/175/253"
]
}
]
},
{
"id": "crs-rce",
"name": "CRS Remote Code Execution (RCE)",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Remote Code Execution (RCE) (42 rules)",
"author": "OWASP CRS Project",
"priority": 3,
"enabled": true,
"rules": [
{
"id": "932230",
"name": "Remote Command Execution: Unix Command Injection (2-3 chars)",
"pattern": "(?i)(?:b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932235",
"name": "Remote Command Execution: Unix Command Injection (command without evasion)",
"pattern": "(?i)(?:b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932125",
"name": "Remote Command Execution: Windows Powershell Alias Command Injection",
"pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932130",
"name": "Remote Command Execution: Unix Shell Expression Found",
"pattern": "$(?:((?:[^)]+|([^)]+)))|{[^}]+}|[[^]]*])|[<>]([^)]+)|/[0-9A-Z_a-z]*[[^]]+]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932140",
"name": "Remote Command Execution: Windows FOR/IF Command Found",
"pattern": "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sx0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932270",
"name": "Remote Command Execution: Unix Shell Expression Found",
"pattern": "~[+-](?:$|[0-9]+)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932280",
"name": "Remote Command Execution: Brace Expansion Found",
"pattern": "{[0-9A-Z_a-z]*,[,-0-9A-Z_a-z]*}",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932250",
"name": "Remote Command Execution: Direct Unix Command Execution",
"pattern": "(?i)(?:^|b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932260",
"name": "Remote Command Execution: Direct Unix Command Execution",
"pattern": "(?i)(?:^|b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932340",
"name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)",
"pattern": "(?i)(?:b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932330",
"name": "Remote Command Execution: Unix shell history invocation",
"pattern": "!-d",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932170",
"name": "Remote Command Execution: Shellshock (CVE-2014-6271)",
"pattern": "^(s*)s+{",
"targets": [
"headers",
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932171",
"name": "Remote Command Execution: Shellshock (CVE-2014-6271)",
"pattern": "^(s*)s+{",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932175",
"name": "Remote Command Execution: Unix shell alias invocation",
"pattern": "ba[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932370",
"name": "Remote Command Execution: Windows Command Injection",
"pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932380",
"name": "Remote Command Execution: Windows Command Injection",
"pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932371",
"name": "Remote Command Execution: Windows Command Injection",
"pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932231",
"name": "Remote Command Execution: Unix Command Injection",
"pattern": "(?:b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932131",
"name": "Remote Command Execution: Unix Shell Expression Found",
"pattern": "$(?:((?:[^)]+|([^)]+)))|{[^}]+}|[[^]]*])|[<>]([^)]+)|/[0-9A-Z_a-z]*[[^]]+]",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932200",
"name": "RCE Bypass Technique",
"pattern": "['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932205",
"name": "RCE Bypass Technique",
"pattern": "^[^#]+",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932206",
"name": "RCE Bypass Technique",
"pattern": "^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{])",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932207",
"name": "RCE Bypass Technique",
"pattern": "#.*",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932220",
"name": "Remote Command Execution: Unix Command Injection with pipe",
"pattern": "(?i).|(?:[sx0b]*|b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932240",
"name": "Remote Command Execution: Unix Command Injection evasion attempt detected",
"pattern": "(?i)[-0-9_a-z]+(?:[sx0b]*[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932281",
"name": "Remote Command Execution: Brace Expansion Found",
"pattern": "{[^sx0b,:}]*,[^sx0b]*}",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932210",
"name": "Remote Command Execution: SQLite System Command Execution",
"pattern": ";[sx0b]*.[sx0b]*[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932271",
"name": "Remote Command Execution: Unix Shell Expression Found",
"pattern": "~[0-9]+",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932300",
"name": "Remote Command Execution: SMTP Command Execution",
"pattern": "(?i)rn.*?b(?:E(?:HLO[sx0b][-.a-z]{1,255}|XPN[sx0b].{1,64})|HELO[sx0b][-.a-z]{1,255}|MAIL[sx0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[sx0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SETb)|VRFY[sx0b].{1,64}(?:[sx0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[sx0b][-0-9_a-z]{1,20}[sx0b](?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=|STARTTLSb|NOOPb(?:[sx0b].{1,255})?)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/137/134"
]
},
{
"id": "932310",
"name": "Remote Command Execution: IMAP Command Execution",
"pattern": "(?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/137/134"
]
},
{
"id": "932320",
"name": "Remote Command Execution: POP3 Command Execution",
"pattern": "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/137/134"
]
},
{
"id": "932236",
"name": "Remote Command Execution: Unix Command Injection (command without evasion)",
"pattern": "(?i)(?:^|b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932239",
"name": "Remote Command Execution: Unix Command Injection found in user-agent or referer header",
"pattern": "(?i)(?:^|b[",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932232",
"name": "Remote Command Execution: Unix Command Injection",
"pattern": "(?:b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932237",
"name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS",
"pattern": "(?i)b(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[sx0b&),<>|]|a(?:a-[^sx0b]{1,10}b|(?:b|t(?:obm)?|w[ks]|l(?:ias|pine)|xel)[sx0b&),<>|]|p(?:t(?:(?:itude)?[sx0b&),<>|]|-get)|parmor_[^sx0b]{1,10}b)|r(?:(?:p|ch)?[sx0b&),<>|]|j(?:[sx0b&),<>|]|-register|disp)|ia2c)|s(?:h?[sx0b&),<>|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[sx0b&),<>|]|diff|e(?:grep|xe[sx0b&),<>|])|f?grep|ip2(?:[sx0b&),<>|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sx0b&),<>|]|c))|h[sx0b&),<>|])|tch[sx0b&),<>|])|lkid[sx0b&),<>|]|pftrace|r(?:eaksw|(?:idge|wap)[sx0b&),<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sx0b&),<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[sx0b&),<>|]))|c(?:[89]9(?:[sx0b&),<>|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[sx0b&),<>|]|p(?:(?:an|io)?[sx0b&),<>|]|ulimit)|s(?:(?:h|cli)[sx0b&),<>|]|plit|vtool)|u(?:t[sx0b&),<>|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[sx0b&),<>|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[sx0b&),-<>|])|(?:flag|pas)s|g(?:passwd|rp[sx0b&),<>|]))|lang(?:++|[sx0b&),<>|])|o(?:bc(?:[sx0b&),<>|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sx0b&),<>|]|proc|w(?:say|think))|r(?:ash[sx0b&),<>|]|on(?:[sx0b&),<>|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[sx0b&),<>|]|nf[sx0b&),<>|]?|hclient|m(?:esg[sx0b&),<>|]|idecode|setup)|o(?:(?:as|ne)[sx0b&),<>|]|cker[sx0b&),-<>|]|sbox)|pkg[sx0b&),-<>|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[sx0b&),<>|]|n(?:v(?:[sx0b&),<>|]|-update)|d(?:if|sw)[sx0b&),<>|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[sx0b&),<>|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[sx0b&),<>|]|i(?:(?:n(?:d|ger)|sh)?[sx0b&),<>|]|le(?:[sx0b&),<>|]|test))|tp(?:[sx0b&),<>|]|stats|who)|acter|d(?:(?:find|isk)[sx0b&),<>|]|u?mount)|o(?:ld[sx0b&),<>|]|reach)|ping[sx0b&),6<>|])|g(?:c(?:c[^sx0b]{1,10}b|ore[sx0b&),<>|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[sx0b&),<>|]|e(?:m[sx0b&),<>|]|ni(?:e[sx0b&),<>|]|soimage)|t(?:cap|facl[sx0b&),<>|]))|hc(?:-?[sx0b&),<>|]|i[sx0b&),-<>|])|r(?:(?:c(?:at)?|ep)[sx0b&),<>|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[sx0b&),<>|]|e(?:ad[sx0b&),<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[sx0b&),<>|]|passwd))|i(?:(?:d|rb|conv|nstall)[sx0b&),<>|]|p(?:[sx0b&),<>|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[sx0b&),<>|])|onice|spell)|j(?:(?:js|q|ava|exec)[sx0b&),<>|]|o(?:(?:bs|in)[sx0b&),<>|]|urnalctl)|runscript)|k(?:s(?:h[sx0b&),<>|]|shell)|ill(?:[sx0b&),<>|]|all)|nife[sx0b&),<>|])|l(?:d(?:d?[sx0b&),<>|]|config)|(?:[np]|ynx)[sx0b&),<>|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[sx0b&),<>|]|b_release)|ua(?:[sx0b&),<>|]|(?:la)?tex)|z(?:4(?:[sx0b&),<>|]|c(?:[sx0b&),<>|]|at))|(?:c(?:at|mp))?[sx0b&),<>|]|diff|[ef]?grep|less|m(?:a(?:[sx0b&),<>|]|dec|info)|ore))|a(?:st(?:(?:comm)?[sx0b&),<>|]|log(?:in)?)|tex[sx0b&),<>|])|ess(?:[sx0b&),<>|]|echo|(?:fil|pip)e)|ftp(?:[sx0b&),<>|]|get)|o(?:(?:ca(?:l|te)|ok)[sx0b&),<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[sx0b&),<>|]|k(?:(?:dir|nod)[sx0b&),<>|]|fifo|temp)|locate|o(?:(?:re|unt)[sx0b&),<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[sx0b&),<>|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[sx0b&),<>|]|.(?:openbsd|traditional))|e(?:t(?:[sx0b&),<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[sx0b&),<>|]|s(?:enter|lookup|tat[sx0b&),<>|]))|o(?:(?:d|ctave)[sx0b&),<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[sx0b&),<>|]))|p(?:a(?:(?:x|cman|rted|tch)[sx0b&),<>|]|s(?:swd|te[sx0b&),<>|]))|d(?:b(?:[sx0b&),<>|]|2mb|3[sx0b&),.<>|])|f(?:la)?tex|ksh[sx0b&),<>|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[sx0b&),<>|]|hp(?:[57]?[sx0b&),<>|]|-cgi)|i(?:(?:co?|gz|ng6?)[sx0b&),<>|]|p(?:[sx0b&),<>|]|[^sx0b]{1,10}b)|dstat)|k(?:g(?:[sx0b&),<>|]|_?info)|exec|ill[sx0b&),<>|])|r(?:y?[sx0b&),<>|]|int(?:env|f[sx0b&),<>|]))|s(?:(?:ed|ql)?[sx0b&),<>|]|ftp)|t(?:x[sx0b&),<>|]|ar(?:[sx0b&),<>|]|diff|grep))|er(?:(?:f|ms)[sx0b&),<>|]|l(?:5?[sx0b&),<>|]|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[sx0b&),<>|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[sx0b&),<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sx0b&),<>|]|t(?:[sx0b&),<>|]|-(?:dump|tar))|user)|pm(?:(?:db)?[sx0b&),<>|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[sx0b&),<>|])|u(?:by[^sx0b]{1,10}b|n(?:-(?:mailcap|parts)|c[sx0b&),<>|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[sx0b&),<>|]|e(?:(?:d|ndmail|rvice)[sx0b&),<>|]|t(?:(?:facl)?[sx0b&),<>|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[sx0b&),<>|]|.distrib)|s(?:[sx0b&),<>|]|h(?:[sx0b&),<>|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[sx0b&),<>|]|do(?:-rs|[sx0b&),<>_|]|edit|replay))|vn(?:[sx0b&),<>|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[sx0b&),<>|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[sx0b&),<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[sx0b&),<>|]|sk(?:[sx0b&),<>|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[sx0b&),<>|]|e(?:[ex][sx0b&),<>|]|lnet)|i(?:c[sx0b&),<>|]|me(?:(?:out)?[sx0b&),<>|]|datectl))|c(?:l?sh[sx0b&),<>|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[sx0b&),<>|])|off[sx0b&),<>|])|shark)|u(?:l(?:imit)?[sx0b&),<>|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[sx0b&),<>|]|expand|l(?:ink[sx0b&),<>|]|z(?:4[sx0b&),<>|]|ma))|pigz|z(?:ip[sx0b&),<>|]|std))|p(?:2date[sx0b&),<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:[ep]w|gr|rsh)?[sx0b&),<>|]|m(?:[sx0b&),<>|]|diff)|sudo(?:-rs)?)|algrind|olatility[sx0b&),<>|])|w(?:(?:c|a(?:ll|tch))?[sx0b&),<>|]|h(?:o(?:(?:is)?[sx0b&),<>|]|ami)?|iptail[sx0b&),<>|])|i(?:reshark|sh[sx0b&),<>|]))|x(?:(?:(?:x|pa)d|args|term)[sx0b&),<>|]|z(?:(?:c(?:at|mp))?[sx0b&),<>|]|d(?:ec[sx0b&),<>|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[sx0b&),<>|])|mo(?:dmap|re[sx0b&),<>|]))|z(?:ip(?:[sx0b&),<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[sx0b&),<>|]|oelim|td(?:[sx0b&),<>|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[sx0b&),<>|]|[ef]grep|mo(?:dload|re[sx0b&),<>|])|ypper))(?:b|[^0-9A-Z_a-z])",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932238",
"name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS",
"pattern": "(?i)(?:^|b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932190",
"name": "Remote Command Execution: Wildcard bypass technique attempt",
"pattern": "(?i)/(?:[*?]+[/-9A-Z_a-z]|[/-9A-Z_a-z]+[*?])",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932350",
"name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)",
"pattern": "(?i)(?:^|b[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
},
{
"id": "932301",
"name": "Remote Command Execution: SMTP Command Execution",
"pattern": "rn.*?b(?:DATA|QUIT|HELP(?: .{1,255})?)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/137/134"
]
},
{
"id": "932311",
"name": "Remote Command Execution: IMAP Command Execution",
"pattern": "(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/137/134"
]
},
{
"id": "932321",
"name": "Remote Command Execution: POP3 Command Execution",
"pattern": "rn.*?b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/137/134"
]
},
{
"id": "932331",
"name": "Remote Command Execution: Unix shell history invocation",
"pattern": "!(?:d|!)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88"
]
}
]
},
{
"id": "crs-php",
"name": "CRS PHP Injection",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS PHP Injection (18 rules)",
"author": "OWASP CRS Project",
"priority": 5,
"enabled": true,
"rules": [
{
"id": "933100",
"name": "PHP Injection Attack: PHP Open Tag Found",
"pattern": "(?i)<?(?:php[sx0b]|[sx0b=]|xml(?:[sx0b]+[^a-z]|:)|$)|[[/x5c]?php]|{/?php}",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933110",
"name": "PHP Injection Attack: PHP Script File Upload Found",
"pattern": ".*.ph(?:pd*|tml|ar|ps|t|pt).*$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933120",
"name": "PHP Injection Attack: Configuration Directive Found",
"pattern": "(?i)b(?:a(?:llow_url_(?:fopen|include)|pc.(?:coredump_unmap|en(?:able(?:_cli|d)|tries_hint)|(?:gc_)?ttl|mmap_file_mask|preload_path|s(?:erializer|hm_s(?:egments|ize)|lam_defense)|use_request_time)|rg_separator.(?:in|out)put|ssert.(?:active|(?:bai|quiet_eva)l|callback|exception|warning)|uto_(?:(?:ap|pre)pend_file|detect_line_endings|globals_jit))|b(?:cmath.scale|rowscap)|c(?:gi.(?:check_shebang_line|(?:discard_pat|np)h|f(?:ix_pathinfo|orce_redirect)|r(?:edirect_status_env|fc2616_headers))|hild_terminate|li(?:_server.color|.p(?:ager|rompt))|om.(?:a(?:llow_dcom|utoregister_(?:(?:casesensitiv|verbos)e|typelib))|(?:code_pag|typelib_fil)e|dotnet_version)|url.cainfo)|d(?:ate.(?:(?:default_l(?:at|ong)itud|timezon)e|sun(?:rise|set)_zenith)|ba.default_handler|efault_(?:(?:charse|socket_timeou)t|mimetype)|is(?:able_(?:classe|function)|play_(?:startup_)?error)s|oc(?:_roo|ref_(?:ex|roo))t)|e(?:n(?:able_(?:dl|post_data_reading)|gine)|rror_(?:(?:(?:ap|pre)pend_str|report)in|lo)g|x(?:i(?:f.(?:decode_(?:jis|unicode)_(?:intel|motorola)|encode_(?:jis|unicode))|t_on_timeout)|tension(?:_dir)?|p(?:ect.(?:log(?:file|user)|match_max|timeout)|ose_php)))|f(?:astcgi.(?:impersonate|logging)|fi.(?:enable|preload)|il(?:e_uploads|ter.default(?:_flags)?))|g(?:d.jpeg_ignore_warning|eoip.custom_directory)|h(?:ard_timeout|ighlight.(?:(?:commen|defaul)t|html|keyword|string)|tml_errors)|i(?:b(?:ase.(?:(?:allow_persisten|time(?:stamp)?forma)t|d(?:ateformat|efault_(?:charset|db|password|user))|max_(?:links|persistent))|m_db2.(?:binmode|i(?:5_(?:all(?:_pconnec|ow_commi)t|dbcs_alloc|ignore_userid)|nstance_name)))|conv.(?:in(?:put|ternal)|output)_encoding|g(?:binary.compact_strings|nore_(?:repeated_(?:errors|source)|user_abort))|m(?:a(?:gick.(?:locale_fix|progress_monitor|skip_version_check)|p.enable_insecure_rsh)|plicit_flush)|n(?:clude_path|put_encoding|t(?:ernal_encoding|l.(?:default_locale|error_level|use_exceptions))))|l(?:dap.max_links|og_errors(?:_max_len)?)|m(?:a(?:gic_quotes_(?:gpc|runtime)|il(?:.(?:add_x_header|force_extra_parameters|log)|parse.def_charset)|x_(?:execution_time|file_uploads|input_(?:nesting_level|time|vars)))|bstring.(?:detect_order|encoding_translation|func_overload|http_(?:input|output(?:_conv_mimetypes)?)|internal_encoding|language|regex_(?:retry|stack)_limit|s(?:trict_detection|ubstitute_character))|crypt.(?:algorithm|mode)s_dir|em(?:cache(?:.(?:allow_failover|c(?:hunk_size|ompress_threshold)|(?:default_por|lock_timeou)t|hash_(?:function|strategy)|max_failover_attempts|protocol|(?:session_)?redundancy)|d.(?:compression_(?:factor|t(?:hreshold|ype))|default_(?:binary_protocol|con(?:nect_timeout|sistent_hash))|s(?:e(?:rializer|ss_(?:binary(?:_protocol)?|con(?:nect_timeout|sistent_hash(?:_type)?)|lock(?:_(?:expire|retries|wait(?:_m(?:ax|in))?)|ing)|number_of_replicas|p(?:ersistent|refix)|r(?:andomize_replica_read|emove_failed(?:_servers)?)|s(?:asl_(?:password|username)|erver_failure_limit)))|tore_retry_count)|use_sasl))|ory_limit)|ysql(?:.(?:allow_(?:local_infile|persistent)|connect_timeout|default_(?:(?:hos|socke)t|p(?:assword|ort)|user)|max_(?:links|persistent)|trace_mode)|i.(?:allow_(?:local_infile|persistent)|default_(?:(?:hos|socke)t|p(?:ort|w)|user)|local_infile_directory|max_(?:links|persistent)|r(?:econnect|ollback_on_cached_plink))|nd.(?:collect_(?:memory_)?statistics|debug|(?:fetch_data_cop|sha256_server_public_ke)y|log_mask|mempool_default_size|net_(?:cmd_buffer_size|read_(?:buffer_size|timeout))|trace_alloc)))|o(?:ci8.(?:(?:connection_clas|event|old_oci_close_semantic)s|default_prefetch|max_persistent|p(?:ersistent_timeout|ing_interval|r(?:efetch_lob_size|ivileged_connect))|statement_cache_size)|dbc.(?:(?:allow|check)_persistent|default(?:_(?:cursortype|db|pw|user)|binmode|lrl)|max_(?:links|persistent))|p(?:cache.(?:blacklist_filename|c(?:ache_id|onsistency_checks)|dups_fix|e(?:nable(?:_(?:cli|file_override))?|rror_log)|f(?:ast_shutdown|ile_(?:cache(?:_(?:consistency_checks|fallback|only))?|update_protection)|orce_restart_timeout)|(?:huge_code_page|save_comment)s|in(?:herited_hack|terned_strings_buffer)|jit(?:_(?:b(?:isect_limit|(?:lacklist_(?:root|side)_trac|uffer_siz)e)|debug|hot_(?:func|loop|return|side_exit)|max_(?:exit_counter|(?:loop_unro|polymorphic_ca)ll|r(?:ecursive_(?:call|return)|oot_trace)|side_trace)s|prof_threshold))?|lo(?:ckfile_path|g_verbosity_level)|m(?:ax_(?:accelerated_files|(?:file_siz|wasted_percentag)e)|emory_consumption|map_base)|opt(?:_debug|imization)_level|pr(?:e(?:ferred_memory_model|load(?:_user)?)|otect_memory)|re(?:cord_warnings|strict_api|validate_(?:freq|path))|use_cwd|validate_(?:permission|root|timestamps))|en(?:_basedir|ssl.ca(?:file|path)))|utput_(?:(?:buffer|encod)ing|handler))|p(?:cre.(?:(?:backtrack|recursion)_lim|j)it|do(?:_odbc.(?:connection_pooling|db2_instance_name)|.dsn)|gsql.(?:a(?:llow|uto_reset)_persistent|(?:ignore|log)_notice|max_(?:links|persistent))|h(?:ar.(?:cache_list|re(?:adonly|quire_hash))|pdbg.(?:eol|path))|recision|ost_max_size)|r(?:e(?:alpath_cache_(?:size|ttl)|gister_argc_argv|port_(?:memleaks|zend_debug)|quest_order)|unkit.(?:internal_override|superglobal))|s(?:e(?:aslog.(?:appender(?:_retry)?|buffer_(?:disabled_in_cli|size)|d(?:efault_(?:basepath|datetime_format|logger|template)|isting_(?:(?:by_hou|folde)r|type))|ignore_warning|level|re(?:call_depth|mote_(?:hos|por|timeou)t)|t(?:hrow_exception|r(?:ace_(?:e(?:rror|xception)|notice|warning)|im_wrap))|use_buffer)|ndmail_(?:from|path)|rialize_precision|ssion.(?:auto_start|c(?:ache_(?:expire|limiter)|ookie_(?:domain|httponly|(?:lifetim|s(?:amesit|ecur))e|path))|entropy_(?:file|length)|gc_(?:divisor|maxlifetime|probability)|hash_(?:bits_per_character|function)|(?:lazy_writ|nam)e|referer_check|s(?:ave_(?:handler|path)|erialize_handler|id_(?:bits_per_character|length))|trans_sid_(?:host|tag)s|u(?:pload_progress.(?:cleanup|enabled|(?:min_)?freq|name|prefix)|se_(?:(?:only_)?cookies|strict_mode|trans_sid))))|hort_open_tag|mtp(?:_port)?|oap.wsdl_cache(?:_(?:dir|enabled|limit|ttl))?|ql(?:.safe_mode|ite3.(?:defensive|extension_dir))|tomp.default_(?:broker|(?:connection|read)_timeout_u?sec)|woole.(?:aio_thread_num|display_errors|enable_(?:coroutine|library|preemptive_scheduler)|(?:fast_serializ|u(?:nixsock_buffer_siz|se_(?:namespac|shortnam)))e)|ys(?:_temp_dir|log.(?:f(?:acility|ilter)|ident)|vshm.init_mem))|t(?:aint.e(?:nable|rror_level)|idy.(?:clean_output|default_config)|ra(?:ck_errors|der.real_(?:precision|round_mode)))|u(?:nserialize_(?:callback_func|max_depth)|opz.(?:disable|exit|overloads)|pload(?:_(?:max_filesize|tmp_dir)|progress.file.filename_template)|rl_rewriter.(?:host|tag)s|ser_(?:agent|dir|ini.(?:cache_ttl|filename)))|v(?:8js.(?:flag|max_disposed_context)s|ariables_order|ld.(?:(?:activ|execut)e|skip_(?:ap|pre)pend))|w(?:in(?:cache.(?:chkinterval|enablecli|f(?:c(?:achesize|enabled(?:filter)?|ndetect)|ile(?:count|mapdir))|(?:ignorelis|namesal)t|maxfilesize|oc(?:achesize|enabled(?:filter)?)|reroute(?:_enabled|ini)|s(?:cachesize|rwlocks)|ttlmax|uc(?:achesize|enabled))|dows.show_crt_warning)|khtmltox.graphics)|x(?:bithack|hprof.output_dir|mlrpc_error(?:_number|s))|ya(?:c(?:.(?:compress_threshold|debug|enable(?:_cli)?|(?:key|value)s_memory_size|serializer)|onf.(?:check_dela|director)y)|f.(?:action_prefer|cache_config|environ|forward_limit|l(?:ibrary|owcase_path)|name_s(?:eparator|uffix)|use_(?:namespace|spl_autoload))|ml.(?:decode_(?:binary|(?:ph|timestam)p)|output_(?:canonical|indent|width))|r.(?:(?:connect_)?timeout|debug|expose_info|packager)|z.(?:keepalive|log_mask))|z(?:end(?:_extension|.(?:assertions|(?:detect_unicod|multibyt)e|e(?:nable_gc|xception_(?:ignore_args|string_param_max_len))|s(?:cript_encoding|ignal_check)))|lib.output_(?:compression(?:_level)?|handler)|ookeeper.(?:recv_timeout|sess(?:_lock_wait|ion_lock))))[sx0b]*=[^=]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933135",
"name": "PHP Injection Attack: Variable Access Found",
"pattern": "$s*{s*S[^{}]*}",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933140",
"name": "PHP Injection Attack: I/O Stream Found",
"pattern": "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933200",
"name": "PHP Injection Attack: Wrapper scheme detected",
"pattern": "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933160",
"name": "PHP Injection Attack: High-Risk PHP Function Call Found",
"pattern": "(?i)b(?[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933170",
"name": "PHP Injection Attack: Serialized Object Injection",
"pattern": "[oOcC]:d+:",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933180",
"name": "PHP Injection Attack: Variable Function Call Found",
"pattern": "$+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933210",
"name": "PHP Injection Attack: Variable Function Call Found",
"pattern": "(?:((?:.+)(?:[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933220",
"name": "PHP Injection Attack: PHP Session File Upload Attempt",
"pattern": "(?:^|[/x5c])sess_[,-0-9a-z]{20,256}$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933151",
"name": "PHP Injection Attack: Medium-Risk PHP Function Name Found",
"pattern": "(?i)b(?:a(?:c(?:cel_chdir|osh?)|ddc?slashes|pache_(?:child_terminate|get(?:_(?:modules|version)|env)|lookup_uri|note |re(?:quest|sponse)_headers|setenv)|r(?:ray_(?:c(?:h(?:ange_key_case|unk)|o(?:lumn|mbine|unt_values))|diff(?:_(?:assoc|key|u(?:assoc|key)))?|f(?:ill(?:_keys)?|lip)|i(?:ntersect(?:_(?:assoc|key|u(?:assoc|key)))?|s_list)|key(?:_(?:fir|la)st|s)|m(?:ap|erge(?:_recursive)?|ultisort)|p(?:ad|op|roduct)|r(?:and|e(?:(?:duc|vers)e|place(?:_recursive)?))|s(?:earch|p?lice|um)|u(?:(?:diff|intersect)(?:_u?assoc)?|n(?:ique|shift))|walk(?:_recursive)?)|sort)|s(?:inh|ort|sert_options)|tan[2h]?)|b(?:ase(?:64_(?:de|en)code|_convert)|c(?:add|comp|div|m(?:od|ul)|pow(?:mod)?|s(?:cale|qrt|ub))|in(?:2hex|d(?:_textdomain_codeset|ec|textdomain))|oolval|z(?:(?:de)?compress|err(?:no|(?:o|st)r)|open|read))|c(?:al(?:_(?:days_in_month|(?:from|to)_jd|info)|l_user_func_array)|eil|h(?:(?:di)?r|grp|mod|own|unk_split)|l(?:ass_(?:alia|(?:implem|par)ent|use)s|earstatcache|ose(?:dir|log))|o(?:llator_(?:asort|c(?:ompar|reat)e|get_(?:(?:attribut|error_(?:cod|messag)|local)e|s(?:ort_key|trength))|s(?:et_(?:attribute|strength)|ort(?:_with_sort_keys)?))|m_(?:create_guid|event_sink|get_active_object|load_typelib|message_pump|print_typeinfo)|n(?:fig_get_hash|nection_(?:aborted|status)|vert_uu(?:de|en)code)|unt_chars)|rc32|type_(?:al(?:num|pha)|cntrl|(?:x?digi|p(?:rin|unc))t|graph|(?:low|upp)er|space)|url_(?:(?:c(?:los|opy_handl)|file_creat|paus)e|e(?:rr(?:no|or)|scape|xec)|getinfo|(?:ini|rese)t|multi_(?:(?:(?:add|remove)_handl|clos)e|e(?:rrno|xec)|getcontent|in(?:fo_read|it)|s(?:e(?:lec|top)t|trerror))|s(?:etopt(?:_array)?|hare_(?:close|errno|init|s(?:etopt|trerror))|trerror)|u(?:nescape|pkeep)|version))|d(?:ate(?:_(?:add|create(?:_(?:from_format|immutable(?:_from_format)?))?|d(?:(?:ate_s|efault_timezone_[gs])et|iff)|(?:forma|(?:offset_g|time(?:_s|(?:stamp|zone)_[gs]))e)t|get_last_errors|i(?:nterval_(?:create_from_date_string|format)|sodate_set)|modify|parse(?:_from_format)?|su(?:b|n(?:_info|rise|set)))|fmt_(?:(?:creat|localtim|pars)e|format(?:_object)?|get_(?:calendar(?:_object)?|(?:datetyp|error_(?:cod|messag)|local)e|pattern|time(?:type|zone(?:_id)?))|is_lenient|set_(?:calendar|lenient|pattern|timezone)))|ba_(?:(?:clos|delet|replac)e|(?:exist|handler)s|f(?:etch|irstkey)|(?:inser|key_spli|lis)t|nextkey|op(?:en|timize)|popen|sync)|(?:cn?)?gettext|e(?:bug_(?:(?:print_)?backtrace|zval_dump)|c(?:bin|hex)|flate_(?:add|init)|g2rad)|isk_(?:free|total)_space|l_test_test[12]|n(?:gettext|s_(?:check_record|get_(?:mx|record)))|om_import_simplexml)|e(?:aster_da(?:te|ys)|n(?:chant_(?:broker_(?:d(?:escribe|ict_exists)|free(?:_dict)?|get_(?:dict_path|error)|(?:ini|request_(?:pwl_)?dic)t|list_dicts|set_(?:dict_path|ordering))|dict_(?:add(?:_to_session)?|(?:quick_)?check|describe|get_error|is_added|s(?:tore_replacemen|ugges)t))|um_exists)|rror_(?:(?:clear|get)_last|(?:lo|reportin)g)|scapeshell(?:arg|cmd)|x(?:if_(?:imagetype|read_data|t(?:agname|humbnail))|pm1|tension_loaded))|f(?:astcgi_finish_request|d(?:atasync|iv)|eof|f(?:i_trampoline|lush)|get(?:c(?:sv)?|s)|i(?:l(?:e_put_contents|ter_(?:has_var|i(?:d|nput(?:_array)?)|list|var(?:_array)?))|nfo_(?:buffer|(?:clos|fil)e|open|set_flags))|loatval|(?:mo|re(?:a|nchtoj))d|nmatch|orward_static_call(?:_array)?|p(?:assthru|m_get_status|rintf|utcsv)|s(?:canf|eek|ockopen|tat|ync)|t(?:ell|ok|p_(?:a(?:lloc|ppend)|c(?:dup|h(?:dir|mod)|lose|onnect)|delete|exec|f(?:ge|pu)t|get(?:_option)?|login|m(?:dtm|kdir|lsd)|n(?:b_(?:continue|(?:f(?:ge|pu)|ge|pu)t)|list)|p(?:asv|ut|wd)|r(?:aw(?:list)?|ename|mdir)|s(?:et_option|(?:i[tz]|ystyp)e|sl_connect))|runcate)|unc_(?:get_args?|num_args)|write)|g(?:c_(?:(?:(?:collect_cycl|mem_cach)e|statu)s|disable|enabled?)|d_info|et(?:_(?:browser|c(?:(?:alled_clas|lass_(?:method|var))s|(?:fg_va|urrent_use)r)|de(?:bug_type|(?:clared_(?:(?:class|interfac)e|trait)|fined_(?:constant|function|var))s)|(?:extension_func|loaded_extension|m(?:angled_object_var|eta_tag)|parent_clas)s|h(?:eaders|tml_translation_table)|include(?:_path|d_files)|o(?:bject_vars|pen_basedir)|resource(?:_(?:id|type)|s))|(?:cw|lastmo)d|(?:dat|rusag)e|env|host(?:by(?:addr|namel?)|name)|imagesize(?:fromstring)?|my(?:[gpu]id|inode)|opt|protobyn(?:ame|umber)|servby(?:name|port)|t(?:ext|imeofday|ype))|m(?:(?:dat|(?:mk|strf)tim)e|p_(?:a(?:bs|[dn]d)|binomial|c(?:lrbit|mp|om)|div(?:_(?:qr?|r)|exact)|(?:expor|fac|hamdis|testbi)t|gcd(?:ext)?|i(?:mport|n(?:(?:i|ver)t|tval))|jacobi|(?:kronecke|x?o)r|l(?:cm|egendre)|m(?:od|ul)|ne(?:g|xtprime)|p(?:erfect_(?:power|square)|o(?:pcount|wm?)|rob_prime)|r(?:andom_(?:bits|range|seed)|oot(?:rem)?)|s(?:can[01]|etbit|ign|qrt(?:rem)?|trval|ub)))|r(?:apheme_(?:extract|s(?:tr(?:i(?:pos|str)|len|(?:ri?)?pos|str)|ubstr))|egoriantojd)|z(?:(?:un)?compress|(?:de(?:cod|flat)|encod|fil|inflat)e|open))|h(?:ash_(?:(?:algo|equal)s|copy|fi(?:le|nal)|h(?:kdf|mac(?:_(?:algos|file))?)|init|pbkdf2|update(?:_(?:file|stream))?)|e(?:ader(?:_re(?:gister_callback|move)|s_(?:lis|sen)t)|brev|x(?:2bin|dec))|ighlight_(?:file|string)|rtime|t(?:ml(?:(?:_entity|specialchars)_decode|entities)|tp_(?:build_query|response_code))|ypot)|i(?:conv(?:_(?:get_encoding|mime_(?:decode(?:_headers)?|encode)|s(?:et_encoding|tr(?:len|r?pos)|ubstr)))?|dn_to_(?:ascii|utf8)|gnore_user_abort|ma(?:ge(?:_type_to_(?:extension|mime_type)|a(?:ffine(?:matrix(?:conca|ge)t)?|lphablending|ntialias|rc|vif)|(?:bm|w(?:bm|eb))p|c(?:har(?:up)?|o(?:lor(?:a(?:llocate(?:alpha)?|t)|closest(?:alpha|hwb)?|deallocate|(?:exact|resolve)(?:alpha)?|match|s(?:et|forindex|total)|transparent)|nvolution|py(?:merge(?:gray)?|res(?:ampl|iz)ed)?)|r(?:eate(?:from(?:avif|(?:bm|w(?:bm|eb))p|g(?:d(?:2(?:part)?)?|if)|(?:jpe|(?:p|stri)n)g|tga|x[bp]m)|truecolor)?|op(?:auto)?))|d(?:ashedline|estroy)|ellipse|f(?:il(?:l(?:ed(?:arc|(?:ellips|rectangl)e|polygon)|toborder)?|ter)|lip|ont(?:height|width)|t(?:bbox|text))|g(?:ammacorrect|d2?|et(?:clip|interpolation)|if|rab(?:screen|window))|i(?:nterlace|struecolor)|jpeg|l(?:(?:ayereffec|oadfon)t|ine)|openpolygon|p(?:alette(?:copy|totruecolor)|ng|olygon)|r(?:e(?:ctangle|solution)|otate)|s(?:avealpha|cale|et(?:brush|clip|interpolation|pixel|style|t(?:hickness|ile))|tring(?:up)?|[xy])|t(?:ruecolortopalette|ypes)|xbm)|p_(?:(?:8bi|qprin)t|a(?:lerts|ppend)|b(?:ase64|inary|ody(?:struct)?)|c(?:heck|l(?:earflag_full|ose)|reatemailbox)|delete(?:mailbox)?|e(?:rrors|xpunge)|fetch(?:_overview|body|header|(?:mim|structur)e)|g(?:c|et(?:_quota(?:root)?|acl|mailboxes|subscribed))|header(?:info|s)|(?:is_)?open|l(?:ast_error|ist(?:scan)?|sub)|m(?:ail(?:_(?:co(?:mpose|py)|move)|boxmsginfo)?|ime_header_decode|sgno|utf7_to_utf8)|num_(?:msg|recent)|ping|r(?:e(?:namemailbox|open)|fc822_(?:parse_(?:adrlist|headers)|write_address))|s(?:avebody|e(?:arch|t(?:_quota|(?:ac|flag_ful)l))|ort|tatus|ubscribe)|t(?:hread|imeout)|u(?:id|n(?:delet|subscrib)e|tf(?:7_(?:de|en)code|8(?:_to_mutf7)?))))|n(?:_array|et_(?:ntop|pton)|flate_(?:add|get_(?:read_len|status)|init)|i_(?:get(?:_all)?|parse_quantity|restore|set)|t(?:div|erface_exists|l(?:_(?:error_nam|get_error_(?:cod|messag)|is_failur)e|cal_(?:a(?:dd|fter)|(?:befor|f(?:ield_differenc|rom_date_tim)|to_date_tim)e|c(?:lear|reate_instance)|equals|get(?:_(?:a(?:ctual_m(?:ax|in)imum|vailable_locales)|(?:day_of_week_typ|error_(?:cod|messag)|keyword_values_for_local)e|first_day_of_week|greatest_minimum|l(?:east_maximum|ocale)|m(?:aximum|inim(?:al_days_in_first_week|um))|now|(?:(?:repeat|skipp)ed_wall_time_op|weekend_transi)tion|t(?:ime(?:_zone)?|ype)))?|i(?:n_daylight_time|s_(?:equivalent_to|(?:lenien|se)t|weekend))|roll|set(?:_(?:(?:first_day_of|minimal_days_in_first)_week|lenient|(?:repeat|skipp)ed_wall_time_option|time(?:_zone)?))?)|gregcal_(?:(?:create_instanc|[gs]et_gregorian_chang)e|is_leap_year)|tz_(?:c(?:ount_equivalent_ids|reate_(?:default|enumeration|time_zone(?:_id_enumeration)?))|(?:(?:from|to)_date_time_zon|use_daylight_tim)e|get_(?:(?:canonical|windows)_id|d(?:isplay_name|st_savings)|e(?:quivalent_id|rror_(?:cod|messag)e)|(?:gm|offse)t|id(?:_for_windows_id)?|r(?:aw_offset|egion)|(?:tz_data_versio|unknow)n)|has_same_rules))))|p(?:2long|tc(?:embed|parse))|s_(?:bool|(?:(?:(?:c(?:all|ount)|(?:execu|wri)t)ab|uploaded_fi)l|i(?:nfinit|terabl)|re(?:adabl|sourc))e|f(?:i(?:l|nit)e|loat)|link|nan|s(?:calar|oap_fault|tring|ubclass_of))|terator_(?:(?:appl|to_arra)y|count))|j(?:d(?:dayofweek|monthname|to(?:french|gregorian|j(?:ewish|ulian)|unix))|(?:ewish|ulian)tojd|son_(?:last_error(?:_msg)?|validate)))[sx0b]*(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933152",
"name": "PHP Injection Attack: Medium-Risk PHP Function Name Found",
"pattern": "(?i)b(?:kr?sort|l(?:c(?:first|g_value|h(?:grp|own))|dap_(?:8859_to_t61|(?:ad|bin)d(?:_ext)?|co(?:mpare|nnect(?:_wallet)?|unt_(?:entri|referenc)es)|d(?:elete(?:_ext)?|n2ufn)|e(?:rr(?:(?:2st|o)r|no)|scape|x(?:op(?:_(?:passwd|refresh|sync|whoami))?|plode_dn))|f(?:irst_(?:(?:attribut|referenc)e|entry)|ree_result)|get_(?:(?:attribut|entri)es|(?:d|optio|values_le)n)|list|mod(?:_(?:add|del|replace)(?:_ext)?|ify_batch)|next_(?:(?:attribut|referenc)e|entry)|parse_(?:exop|re(?:ference|sult))|re(?:ad|name(?:_ext)?)|s(?:asl_bind|e(?:arch|t_(?:option|rebind_proc))|tart_tls)|t61_to_8859|unbind)|evenshtein|i(?:bxml_(?:(?:clear|use_internal)_errors|disable_entity_loader|get_(?:e(?:rrors|xternal_entity_loader)|last_error)|set_(?:external_entity_loader|streams_context))|nkinfo|tespeed_(?:finish_request|re(?:quest|sponse)_headers))|o(?:cal(?:e(?:_(?:(?:accept_from_htt|looku)p|(?:c(?:anonicaliz|ompos)|pars)e|filter_matches|get_(?:(?:all_variant|keyword)s|d(?:efault|isplay_(?:(?:languag|nam)e|region|(?:scrip|varian)t))|primary_language|region|script)|set_default)|conv)|time)|g1[0p]|ng2ip)|stat|trim)|m(?:b_(?:c(?:h(?:eck_encoding|r)|onvert_(?:case|encoding|kana|variables))|de(?:code_(?:mimeheader|numericentity)|tect_(?:encoding|order))|e(?:ncod(?:e_(?:mimeheader|numericentity)|ing_aliases)|reg(?:_(?:match|replace(?:_callback)?|search(?:_(?:(?:get(?:po|reg)|(?:set)?po|reg)s|init))?)|i(?:_replace)?)?)|get_info|http_(?:in|out)put|internal_encoding|l(?:anguage|ist_encodings)|o(?:rd|utput_handler)|p(?:arse_str|referred_mime_name)|regex_(?:encoding|set_options)|s(?:crub|end_mail|plit|tr(?:_(?:pad|split)|cut|i(?:mwidth|pos|str)|len|pos|r(?:chr|i(?:chr|pos)|pos)|(?:st|to(?:low|upp)e)r|width)|ubst(?:itute_character|r(?:_count)?)))|(?:(?:d5|ove_uploaded)_fil|e(?:mory_(?:get_(?:peak_)?|reset_peak_)usag|taphon)|i(?:crotim|me_content_typ))e|hash(?:_(?:count|get_(?:block_siz|hash_nam)e|keygen_s2k))?|k(?:dir|time)|sg(?:_(?:(?:get_queu|re(?:ceiv|move_queu))e|queue_exists|s(?:e(?:nd|t_queue)|tat_queue))|fmt_(?:create|(?:format|parse)(?:_message)?|get_(?:(?:error_(?:cod|messag)|local)e|pattern)|set_pattern))|t_(?:getrandmax|s?rand)|ysqli_(?:a(?:ffected_rows|utocommit)|begin_transaction|c(?:ha(?:nge_user|racter_set_name)|lose|o(?:mmit|nnect(?:_err(?:no|or))?))|d(?:ata_seek|ebug|ump_debug_info)|e(?:rr(?:no|or(?:_list)?)|xecute_query)|f(?:etch_(?:a(?:ll|rray|ssoc)|column|field(?:_direct|s)?|lengths|object|row)|ield_(?:count|seek|tell)|ree_result)|get_(?:c(?:harset|lient_(?:info|stats|version)|onnection_stats)|(?:host|proto)_info|(?:links_stat|warning)s|server_(?:info|version))|in(?:fo|it|sert_id)|kill|m(?:ore_results|ulti_query)|n(?:ext_result|um_(?:field|row)s)|options|p(?:ing|oll|repare)|query|r(?:e(?:a(?:l_(?:connect|escape_string|query)|p_async_query)|fresh|(?:lease_savepoin|por)t)|ollback)|s(?:(?:avepoin|sl_se)t|e(?:lect_db|t_charset)|qlstate|t(?:(?:a|ore_resul)t|mt_(?:a(?:ffected_rows|ttr_[gs]et)|bind_(?:param|result)|close|data_seek|e(?:rr(?:no|or(?:_list)?)|xecute)|f(?:etch|(?:ield_coun|ree_resul)t)|get_(?:result|warnings)|in(?:it|sert_id)|more_results|n(?:ext_result|um_rows)|p(?:aram_count|repare)|res(?:et|ult_metadata)|s(?:end_long_data|qlstate|tore_result))))|thread_(?:id|safe)|(?:use_resul|warning_coun)t))|n(?:(?:at(?:case)?sor|gettex)t|et_get_interfaces|l(?:2br|_langinfo)|ormalizer_(?:get_raw_decomposition|is_normalized|normalize)|umfmt_(?:create|(?:format|parse)(?:_currency)?|get_(?:(?:(?:text_)?attribut|error_(?:cod|messag)|local)e|pattern|symbol)|set_(?:(?:text_)?attribute|pattern|symbol)))|o(?:b_(?:clean|end_(?:clean|flush)|(?:implicit_)?flush|g(?:et_(?:c(?:lean|ontents)|flush|le(?:ngth|vel)|status)|zhandler)|list_handlers)|c(?:i(?:_(?:(?:bind_(?:array_)?|define_)by_name|c(?:ancel|l(?:ient_version|ose)|o(?:llection_(?:a(?:ppend|ssign)|element_(?:assign|get)|max|size|trim)|(?:mmi|nnec)t))|e(?:rror|xecute)|f(?:etch(?:_(?:a(?:ll|rray|ssoc)|object|row))?|ield_(?:is_null|(?:nam|s(?:cal|iz))e|precision|type(?:_raw)?)|ree_(?:collection|descriptor|statement))|get_implicit_resultset|lob_(?:(?:appen|loa|re(?:a|win))d|copy|e(?:of|rase|xport)|flush|i(?:mport|s_equal)|s(?:(?:av|iz)e|eek)|t(?:ell|runcate)|write)|n(?:ew_(?:c(?:o(?:llection|nnect)|ursor)|descriptor)|um_(?:field|row)s)|p(?:a(?:rs|ssword_chang)e|connect)|r(?:e(?:gister_taf_callback|sult)|ollback)|s(?:e(?:rver_version|t_(?:(?:ac|db_opera|edi)tion|c(?:all_timeout|lient_i(?:dentifier|nfo))|module_name|prefetch(?:_lob)?))|tatement_type)|unregister_taf_callback)|fetchinto|[gs]etbufferinglob)|tdec)|dbc_(?:autocommit|(?:binmod|data_sourc)e|c(?:lose(?:_all)?|o(?:lumn(?:privilege)?s|mmit|nnect(?:ion_string_(?:is_quoted|(?:should_)?quote))?)|ursor)|e(?:rror(?:msg)?|xec(?:ute)?)|f(?:etch_(?:array|into|object|row)|ield_(?:len|n(?:ame|um)|(?:scal|typ)e)|oreignkeys|ree_result)|gettypeinfo|longreadlen|n(?:ext_result|um_(?:field|row)s)|p(?:connect|r(?:epare|(?:imarykey|ocedure(?:column)?)s))|r(?:esult(?:_all)?|ollback)|s(?:etoption|(?:pecialcolumn|tatistic)s)|table(?:privilege)?s)|p(?:cache_(?:compile_file|get_(?:configuration|status)|i(?:nvalidate|s_script_cached)|reset)|en(?:dir|log|ssl_(?:c(?:ipher_(?:iv|key)_length|ms_(?:(?:de|en)crypt|read|sign|verify)|sr_(?:export(?:_to_file)?|get_(?:public_key|subject)|new|sign))|d(?:(?:ecryp|iges)t|h_compute_key)|e(?:ncrypt|rror_string)|(?:get_(?:c(?:ert_location|ipher_method|urve_name)|md_method)|random_pseudo_byte)s|open|p(?:bkdf2|k(?:cs(?:12_(?:export(?:_to_file)?|read)|7_(?:(?:de|en)crypt|read|sign|verify))|ey_(?:(?:deriv|fre)e|export(?:_to_file)?|get_(?:details|p(?:rivate|ublic))|new))|(?:rivate|ublic)_(?:de|en)crypt)|s(?:eal|ign|pki_(?:export(?:_challenge)?|new|verify))|verify|x509_(?:check(?:_private_key|purpose)|export(?:_to_file)?|f(?:ingerprint|ree)|parse|read|verify))))|utput_(?:add_rewrite_var|reset_rewrite_vars))|p(?:a(?:rse_(?:ini_(?:file|string)|str)|ss(?:thru|word_(?:algos|get_info|(?:needs_re)?hash|verify))|thinfo)|c(?:lose|ntl_(?:a(?:larm|sync_signals)|exec|forkx?|get(?:_last_error|priority)|rfork|s(?:etpriority|ig(?:nal(?:_(?:dispatch|get_handler))?|procmask|timedwait|waitinfo)|trerror)|unshare|w(?:ait(?:pid)?|exitstatus|if(?:continu|exit|s(?:ignal|topp))ed|(?:stop|term)sig)))|do_drivers|fsockopen|g_(?:(?:affected_row|num_(?:field|row)|option)s|c(?:ancel_query|l(?:ient_encoding|ose)|o(?:n(?:nect(?:_poll|ion_(?:busy|reset|status))?|(?:sume_inpu|ver)t)|py_(?:from|to)))|d(?:bnam|elet)e|e(?:n(?:d_copy|ter_pipeline_mode)|scape_(?:bytea|identifier|literal|string)|x(?:ecut|it_pipeline_mod)e)|f(?:etch_(?:a(?:ll(?:_columns)?|rray|ssoc)|object|r(?:esult|ow))|ield(?:_(?:is_null|n(?:ame|um)|prtlen|size|t(?:able|ype(?:_oid)?))|isnull|prtlen)|lush|ree_result)|get_(?:notify|pid|result)|(?:hos|inser)t|l(?:ast_(?:error|notice|oid)|o_(?:(?:c(?:los|reat)|writ)e|(?:ex|im)port|open|read(?:_all)?|(?:see|unlin)k|t(?:ell|runcate)))|meta_data|p(?:arameter_status|(?:connec|or)t|i(?:ng|peline_s(?:tatus|ync))|(?:repar|ut_lin)e)|query(?:_params)?|result_(?:error(?:_field)?|s(?:eek|tatus))|s(?:e(?:lect|nd_(?:(?:execut|prepar)e|query(?:_params)?)|t_(?:client_encoding|error_(?:context_visibil|verbos)ity))|ocket)|t(?:ra(?:ce|nsaction_status)|ty)|u(?:n(?:escape_bytea|trace)|pdate)|version)|hp(?:_(?:ini_(?:loaded_file|scanned_files)|(?:s(?:api_nam|trip_whitespac)|unam)e)|credits|dbg_(?:break_(?:f(?:ile|unction)|method|next)|c(?:lea|olo)r|e(?:nd_oplog|xec)|get_executable|prompt|start_oplog)|info|version)|osix_(?:e?access|ctermid|f?pathconf|get(?:_last_error|(?:cw|(?:e[gu]|[su])i)d|g(?:id|r(?:gid|nam|oups))|login|p(?:g(?:id|rp)|p?id|w(?:nam|uid))|rlimit)|i(?:nitgroups|satty)|kill|mk(?:fifo|nod)|s(?:et(?:(?:e[gu]|p?g|[su])id|rlimit)|trerror|ysconf)|t(?:imes|tyname)|uname)|r(?:eg_(?:filter|grep|last_error(?:_msg)?|match_all|quote|replace_callback(?:_array)?|split)|o(?:c_(?:(?:clos|nic|terminat)e|get_status|open)|perty_exists))|spell_(?:add_to_(?:personal|session)|c(?:heck|lear_session|onfig_(?:(?:creat|ignor|mod)e|d(?:ata|ict)_dir|(?:persona|save_rep)l|r(?:epl|untogether)))|new(?:_(?:config|personal))?|s(?:(?:ave_wordli|ugge)s|tore_replacemen)t)|utenv)|quote(?:d_printable_(?:de|en)code|meta))[sx0b]*(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933153",
"name": "PHP Injection Attack: Medium-Risk PHP Function Name Found",
"pattern": "(?i)b(?:r(?:a(?:d2deg|ndom_(?:bytes|int)|wurl(?:de|en)code)|e(?:a(?:d(?:dir|(?:gz)?file|lin(?:e(?:_(?:(?:(?:add|list|write)_histor|re(?:ad_histor|displa))y|c(?:allback_(?:handler_(?:install|remove)|read_char)|lear_history|ompletion_function)|info|on_new_line))?|k))|lpath(?:_cache_(?:get|size))?)|gister_(?:shutdown|tick)_function|s(?:ourcebundle_(?:c(?:ount|reate)|get(?:_error_(?:cod|messag)e)?|locales)|tore_e(?:rror|xception)_handler)|wind(?:dir)?)|mdir|sort)|s(?:api_windows_(?:cp_(?:conv|[gs]et|is_utf8)|(?:generate_ctrl_even|vt100_suppor)t|set_ctrl_handler)|candir|e(?:m_(?:(?:acquir|re(?:leas|mov))e|get)|ssion_(?:(?:abor|unse)t|c(?:ache_(?:expire|limiter)|reate_id)|de(?:code|stroy)|(?:encod|(?:module_)?nam|write_clos)e|g(?:c|et_cookie_params)|id|re(?:g(?:enerate_id|ister_shutdown)|set)|s(?:ave_path|et_(?:cookie_params|save_handler)|ta(?:rt|tus)))|t(?:_(?:e(?:rror|xception)_handler|include_path|time_limit)|(?:(?:raw)?cooki|local)e))|h(?:a1(?:_file)?|ell_exec|m(?:_(?:(?:at|de)tach|(?:(?:ge|pu)t|has)_var|remove(?:_var)?)|op_(?:(?:clos|(?:dele|wri)t|siz)e|open|read)))|i(?:m(?:ilar_text|plexml_(?:import_dom|load_(?:file|string)))|nh)|nmp(?:[23]_(?:get(?:next)?|(?:real_)?walk|set)|_(?:get_(?:quick_print|valueretrieval)|read_mib|set_(?:(?:(?:enum|quick)_prin|oid_output_forma)t|valueretrieval))|get(?:next)?|(?:real)?walk|set)|o(?:cket_(?:a(?:ccept|ddrinfo_(?:bind|connect|explain|lookup)|tmark)|bind|c(?:l(?:ear_error|ose)|msg_space|onnect|reate(?:_(?:listen|pair))?)|(?:ex|im)port_stream|get(?:_option|(?:peer|sock)name)|l(?:ast_error|isten)|re(?:ad|cv(?:from|msg)?)|s(?:e(?:lect|nd(?:msg|to)?|t_(?:(?:non)?block|option))|hutdown|trerror)|w(?:rite|saprotocol_info_(?:(?:ex|im)port|release)))|dium_(?:(?:ad|(?:un)?pa)d|b(?:ase642bin|in2(?:base64|hex))|c(?:ompare|rypto_(?:a(?:ead_(?:aes256gcm_(?:(?:de|en)crypt|is_available|keygen)|chacha20poly1305_(?:(?:de|en)crypt|ietf_(?:(?:de|en)crypt|keygen)|keygen)|xchacha20poly1305_ietf_(?:(?:de|en)crypt|keygen))|uth(?:_(?:keygen|verify))?)|box(?:_(?:keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:al(?:_open)?|cretkey|ed_keypair)))?|core_ristretto255_(?:add|from_hash|is_valid_point|random|s(?:calar_(?:add|(?:complemen|inver)t|mul|negate|r(?:andom|educe)|sub)|ub))|generichash(?:_(?:final|init|keygen|update))?|k(?:df_(?:derive_from_key|keygen)|x_(?:client_session_keys|keypair|publickey|se(?:cretkey|ed_keypair|rver_session_keys)))|pwhash(?:_s(?:cryptsalsa208sha256(?:_str(?:_verify)?)?|tr(?:_(?:needs_rehash|verify))?))?|s(?:calarmult(?:_ristretto255(?:_base)?)?|ecret(?:box(?:_(?:keyg|op)en)?|stream_xchacha20poly1305_(?:(?:init_)?pu(?:ll|sh)|keygen|rekey))|horthash(?:_keygen)?|ign(?:_(?:(?:verify_)?detached|ed25519_[ps]k_to_curve25519|keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:cretkey|ed_keypair)))?|tream(?:_(?:keygen|x(?:chacha20(?:_(?:keygen|xor(?:_ic)?))?|or)))?)))|hex2bin|increment|mem(?:cmp|zero))|undex)|p(?:l_(?:autoload(?:_(?:call|(?:extens|funct)ions|(?:un)?register))?|classes|object_(?:hash|id))|rintf)|qrt|scanf|tr(?:_(?:contains|(?:decreme|word_cou)nt|ends_with|getcsv|i(?:ncrement|replace)|pad|r(?:epeat|ot13)|s(?:huffle|plit|tarts_with))|c(?:(?:asec)?mp|oll|spn)|eam_(?:bucket_(?:(?:ap|pre)pend|make_writeable|new)|co(?:ntext_(?:create|get_(?:default|(?:option|param)s)|set_(?:default|options?|params))|py_to_stream)|filter_(?:(?:ap|pre)pend|re(?:gister|move))|get_(?:(?:(?:conten|transpor)t|(?:filt|wrapp)er)s|line|meta_data)|is(?:_local|atty)|resolve_include_path|s(?:e(?:lect|t_(?:blocking|chunk_size|(?:read|write)_buffer|timeout))|ocket_(?:(?:accep|clien)t|enable_crypto|get_name|pair|recvfrom|s(?:e(?:ndto|rver)|hutdown))|upports_lock)|wrapper_(?:re(?:gister|store)|unregister))|ftime|i(?:p(?:c?slashe|o)s|str)|n(?:at)?c(?:asec)?mp|p(?:brk|time)|r(?:chr|ev|i?pos)|s(?:pn|tr)|t(?:ok|r)|val)|ubstr_(?:co(?:mpare|unt)|replace)|ys_get(?:_temp_dir|loadavg))|t(?:anh|e(?:mpnam|st[12]|xtdomain)|i(?:dy_(?:(?:access|error|warning)_count|c(?:lean_repair|onfig_count)|diagnose|get(?:_(?:body|config|error_buffer|h(?:ead|tml(?:_ver)?)|o(?:pt_doc|utput)|r(?:elease|oot)|status)|opt)|is_x(?:ht)?ml|(?:parse|repair)_(?:file|string))|me(?:_(?:nanosleep|sleep_until)|zone_(?:(?:(?:abbreviation|identifier)s_lis|(?:(?:locat|vers)ion|transitions)_ge)t|name_(?:from_abbr|get)|o(?:ffset_get|pen))))|mpfile|oken_(?:get_all|name)|r(?:a(?:it_exists|nsliterator_(?:create(?:_(?:from_rules|inverse))?|(?:get_error_(?:cod|messag)|transliterat)e|list_ids))|igger_error))|u(?:[ak]sort|cwords|mask|n(?:i(?:qi|xtoj)d|register_tick_function)|(?:rlde|tf8_(?:de|en))code|s(?:e_soap_error_handler|leep|ort))|v(?:ar(?:_(?:dump|export)|iant_(?:a(?:bs|[dn]d)|c(?:as?t|mp)|d(?:ate_(?:from|to)_timestamp|iv)|eqv|fix|get_type|i(?:div|mp|nt)|m(?:od|ul)|n(?:eg|ot)|x?or|pow|round|s(?:et(?:_type)?|ub)))|ersion_compare|[fs]?printf)|wordwrap|xml(?:_(?:error_string|get_(?:current_(?:byte_index|(?:column|line)_number)|error_code)|parse(?:_into_struct|r_(?:create(?:_ns)?|free|[gs]et_option))?|set_(?:(?:character_data|default|e(?:lement|nd_namespace_decl|xternal_entity_ref)|(?:notation|start_namespace|unparsed_entity)_decl|processing_instruction)_handler|object))|writer_(?:end_(?:attribute|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|element|pi)|f(?:lush|ull_end_element)|o(?:pen_(?:memory|uri)|utput_memory)|s(?:et_indent(?:_string)?|tart_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|pi))|text|write_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|dtd(?:_(?:attlist|e(?:lement|ntity)))?|pi|raw)))|z(?:end_(?:c(?:all_method|reate_unterminated_string)|get_(?:current_func_name|map_ptr_last|unit_enum)|iterable(?:_legacy)?|leak_(?:bytes|variable)|(?:number_or_string|string_or_(?:object|stdclass))(?:_or_null)?|t(?:e(?:rminate_string|st_(?:(?:(?:nullable_)?array|void)_return|c(?:ompile_string|r(?:ash|eate_throwing_resource))|deprecated|f(?:ill_packed_array|unc)|is_string_marked_as_valid_utf8|(?:override_libxml_global_sta|parameter_with_attribu)te|zend_(?:call_stack_(?:get|use_all)|ini_(?:parse_u?quantity|str))))|hread_id)|version|weakmap_(?:attach|dump|remove))|ip_(?:close|entry_(?:c(?:lose|ompress(?:edsize|ionmethod))|(?:filesiz|nam)e|open|read)|open|read)|lib_(?:(?:de|en)cod|get_coding_typ)e)|ZendTestNS2_(?:ZendSubNS_)?namespaced_(?:deprecated_)?func)[sx0b]*(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933131",
"name": "PHP Injection Attack: Variables Found",
"pattern": "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933161",
"name": "PHP Injection Attack: Low-Value PHP Function Call Found",
"pattern": "(?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sx0b]|/*.**/|(?:#|//).*)*(.*)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933111",
"name": "PHP Injection Attack: PHP Script File Upload Found",
"pattern": ".*.ph(?:pd*|tml|ar|ps|t|pt)..*$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
},
{
"id": "933211",
"name": "PHP Injection Attack: Variable Function Call Found",
"pattern": "(?:((?:.+)(?:[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-injection-php",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-PHP",
"capec/1000/152/242"
]
}
]
},
{
"id": "crs-generic-attack",
"name": "CRS Generic Application Attack",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Generic Application Attack (9 rules)",
"author": "OWASP CRS Project",
"priority": 5,
"enabled": true,
"rules": [
{
"id": "934100",
"name": "Node.js Injection Attack 1/2",
"pattern": "_(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sx0b]+Function[sx0b]*)(|(?:String.fromCharCod|Module:prototyp)e|function(){|this.constructor|module.exports=|([sx0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sx0b]*)|cons(?:tructor:constructor|ole(?:.(?:(?:debu|lo)g|error|info|trace|warn)(?:.call)?(|[[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"attack-injection-generic",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/152/242"
]
},
{
"id": "934130",
"name": "JavaScript Prototype Pollution",
"pattern": "(?:__proto__|constructors*(?:.|]?[)s*prototype)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"attack-injection-generic",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1/180/77"
]
},
{
"id": "934150",
"name": "Ruby Injection Attack",
"pattern": "Process[sx0b]*.[sx0b]*spawn[sx0b]*(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"attack-injection-generic",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/152/242"
]
},
{
"id": "934160",
"name": "Node.js DoS attack",
"pattern": "while[sx0b]*([sx0b(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"attack-injection-generic",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/152/242"
]
},
{
"id": "934170",
"name": "PHP data scheme attack",
"pattern": "^data:(?:(?:*|[^!",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-ssrf",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/152/242"
]
},
{
"id": "934101",
"name": "Node.js Injection Attack 2/2",
"pattern": "(?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sx0b]*(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"attack-injection-generic",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/152/242"
]
},
{
"id": "934120",
"name": "Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address",
"pattern": "(?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip):/?/?(?:[0-9]{7,10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][-.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sx0b]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][-.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:x{e2}(?:x91[xa0-x{bf}]|x92[x80-x{bf}]|x93[x80-x{a9}x{ab}-x{bf}])|x{e3}x80x82)+)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-ssrf",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/225/664"
]
},
{
"id": "934140",
"name": "Perl Injection Attack",
"pattern": "@+{[sx0b]*[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"attack-injection-generic",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/152/242"
]
},
{
"id": "934180",
"name": "SSTI Attack",
"pattern": "(?:{%[^%}]*%}|<%=?[^%>]*%>)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-ssti",
"attack-injection-generic",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-GENERIC",
"capec/1000/152/242"
]
}
]
},
{
"id": "crs-xss",
"name": "CRS Cross-Site Scripting (XSS)",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Cross-Site Scripting (XSS) (31 rules)",
"author": "OWASP CRS Project",
"priority": 5,
"enabled": true,
"rules": [
{
"id": "941100",
"name": "XSS Attack Detected via libinjection",
"pattern": "@detectXSS",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941110",
"name": "XSS Filter - Category 1: Script Tag Vector",
"pattern": "(?i)<script[^>]*>[sS]*?",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941120",
"name": "XSS Filter - Category 2: Event Handler Vector",
"pattern": "(?i)[s",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941130",
"name": "XSS Filter - Category 3: Attribute Vector",
"pattern": "(?i).(?:b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)b|pattern[sx0b]*=)|(?:!ENTITY[sx0b]+(?:%[sx0b]+)?[^sx0b]+[sx0b]+(?:SYSTEM|PUBLIC)|@import|;base64)b)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941140",
"name": "XSS Filter - Category 4: Javascript URI Vector",
"pattern": "(?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941160",
"name": "NoScript XSS InjectionChecker: HTML Injection",
"pattern": "(?i)<[^0-9<>A-Z_a-z]*(?:[^sx0b",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941170",
"name": "NoScript XSS InjectionChecker: Attribute Injection",
"pattern": "(?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941190",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941200",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941210",
"name": "Javascript Word Detected",
"pattern": "(?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941220",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941230",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i)<EMBED[s/+].*?(?:src|type).*?=",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941240",
"name": "IE XSS Filters - Attack Detected",
"pattern": "<[?]?import[s/+S]*?implementation[s/+]*?=",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941250",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941260",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i:<META[s/+].*?charset[s/+]*=)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941270",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i)<LINK[s/+].*?href[s/+]*=",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941280",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i)<BASE[s/+].*?href[s/+]*=",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941290",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i)<APPLET[s/+>]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941300",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941310",
"name": "US-ASCII Malformed Encoding XSS Filter - Attack Detected",
"pattern": "xbc[^xbe>]*[xbe>]|<[^xbe]*xbe",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941350",
"name": "UTF-7 Encoding IE XSS - Attack Detected",
"pattern": "+ADw-.*(?:+AD4-|>)|<.*+AD4-",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941360",
"name": "JSFuck / Hieroglyphy obfuscation detected",
"pattern": "![!+ ][]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242/63"
]
},
{
"id": "941370",
"name": "JavaScript global variable found",
"pattern": "(?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242/63"
]
},
{
"id": "941390",
"name": "Javascript method detected",
"pattern": "(?i)b(?:eval|set(?:timeout|interval)|new[sx0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole.(?:log|dir))|fetch)[sx0b]*[({]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941400",
"name": "XSS JavaScript function without parentheses",
"pattern": "((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941101",
"name": "XSS Attack Detected via libinjection",
"pattern": "@detectXSS",
"targets": [
"headers",
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941150",
"name": "XSS Filter - Category 5: Disallowed HTML Attributes",
"pattern": "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941320",
"name": "Possible XSS Attack Detected - HTML Tag Handler",
"pattern": "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242/63"
]
},
{
"id": "941330",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i:[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941340",
"name": "IE XSS Filters - Attack Detected",
"pattern": "(?i)[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242"
]
},
{
"id": "941380",
"name": "AngularJS client side template injection detected",
"pattern": "{{.*?}}",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "xss",
"enabled": true,
"tags": [
"attack-xss",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-XSS",
"capec/1000/152/242/63"
]
}
]
},
{
"id": "crs-sqli",
"name": "CRS SQL Injection (SQLi)",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS SQL Injection (SQLi) (60 rules)",
"author": "OWASP CRS Project",
"priority": 3,
"enabled": true,
"rules": [
{
"id": "942100",
"name": "SQL Injection Attack Detected via libinjection",
"pattern": "@detectSQLi",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942140",
"name": "SQL Injection Attack: Common DB Names Detected",
"pattern": "(?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942151",
"name": "SQL Injection Attack: SQL function name detected",
"pattern": "(?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942160",
"name": "Detects blind sqli tests using sleep() or benchmark()",
"pattern": "(?i:sleeps*?(.*?)|benchmarks*?(.*?,.*?))",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942170",
"name": "Detects SQL benchmark and sleep injection attempts including conditional queries",
"pattern": "(?i)(?:select|;)[sx0b]+(?:benchmark|if|sleep)[sx0b]*?([sx0b]*?(?[sx0b]*?[0-9A-Z_a-z]+",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942190",
"name": "Detects MSSQL code execution and information gathering attempts",
"pattern": "(?i)[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942220",
"name": "Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \"magic number\" crash",
"pattern": "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942230",
"name": "Detects conditional SQL injection attempts",
"pattern": "(?i)[sx0b()]case[sx0b]+when.*?then|)[sx0b]*?like[sx0b]*?(|select.*?having[sx0b]*?[^sx0b]+[sx0b]*?[^sx0b0-9A-Z_a-z]|if[sx0b]?([0-9A-Z_a-z]+[sx0b]*?[<->~]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942240",
"name": "Detects MySQL charset switch and MSSQL DoS attempts",
"pattern": "(?i)alter[sx0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sx0b]+set[sx0b]+[0-9A-Z_a-z]+|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942250",
"name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections",
"pattern": "(?i:merge.*?usings*?(|executes*?immediates*?[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942270",
"name": "Looking for basic sql injection. Common attack string for mysql, oracle and others",
"pattern": "(?i)union.*?select.*?from",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942280",
"name": "Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts",
"pattern": "(?i)select[sx0b]*?pg_sleep|waitfor[sx0b]*?delay[sx0b]?[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942290",
"name": "Finds basic MongoDB SQL injection attempts",
"pattern": "(?i)[?$(?:a(?:bs|c(?:cumulator|osh?)|dd(?:ToSet)?|ll(?:ElementsTrue)?|n(?:d|yElementTrue)|rray(?:ElemA|ToObjec)t|sinh?|tan[2h]?|vg)|b(?:etween|i(?:narySize|t(?:And|Not|(?:O|Xo)r)?)|ottomN?|sonSize|ucket(?:Auto)?)|c(?:eil|mp|o(?:n(?:cat(?:Arrays)?|d|vert)|sh?|unt|variance(?:Po|Sam)p)|urrentDate)|d(?:a(?:te(?:Add|Diff|From(?:Parts|String)|Subtract|T(?:o(?:Parts|String)|runc))|yOf(?:Month|Week|Year))|e(?:greesToRadians|nseRank|rivative)|iv(?:ide)?|ocumentNumber)|e(?:(?:a|lemMat)ch|q|x(?:ists|p(?:MovingAvg|r)?))|f(?:i(?:lter|rstN?)|loor|unction)|g(?:etField|roup|te?)|(?:hou|xo|yea)r|i(?:fNull|n(?:c|dexOf(?:Array|Bytes|CP)|tegral)?|s(?:Array|Number|o(?:DayOfWeek|Week(?:Year)?)))|jsonSchema|l(?:astN?|et|i(?:ke|(?:nearFil|tera)l)|n|o(?:cf|g(?:10)?)|t(?:e|rim)?)|m(?:a(?:p|xN?)|e(?:dian|rgeObjects|ta)|i(?:llisecond|n(?:N|ute)?)|o(?:d|nth)|ul(?:tiply)?)|n(?:atural|e|in|o[rt])|o(?:bjectToArray|r)|p(?:ercentile|o(?:[pw]|sition)|roject|u(?:ll(?:All)?|sh))|r(?:a(?:diansToDegrees|n(?:[dk]|ge))|e(?:(?:duc|nam)e|gex(?:Find(?:All)?|Match)?|place(?:All|One)|verseArray)|ound|trim)|s(?:(?:ampleRat|lic)e|e(?:cond|t(?:Difference|(?:Equal|WindowField)s|Field|I(?:ntersection|sSubset)|OnInsert|Union)?)|(?:hif|pli|qr)t|i(?:nh?|ze)|ort(?:Array)?|t(?:dDev(?:Po|Sam)p|r(?:Len(?:Bytes|CP)|casecmp))|u(?:b(?:str(?:Bytes|CP)?|tract)|m)|witch)|t(?:anh?|ext|o(?:Bool|D(?:(?:at|oubl)e|ecimal)|HashedIndexKey|Int|Lo(?:ng|wer)|ObjectId|String|U(?:UID|pper)|pN?)|r(?:im|unc)|s(?:Increment|Second)|ype)|unset|w(?:eek|here)|zip)]?",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942320",
"name": "Detects MySQL and PostgreSQL stored procedure/function injections",
"pattern": "(?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942350",
"name": "Detects MySQL UDF injection and other data/structure manipulation attempts",
"pattern": "(?i)create[sx0b]+function[sx0b].+[sx0b]returns|;[sx0b]*?(?:alter|(?:(?:cre|trunc|upd)at|re(?:nam|plac))e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sx0b]*?[([]?[0-9A-Z_a-z]{2,}",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942360",
"name": "Detects concatenated basic SQL injection and SQLLFI attempts",
"pattern": "(?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)b[sx0b]*(?|end[sx0b]*?);)|[sx0b(]load_file[sx0b]*?(|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942500",
"name": "MySQL in-line comment detected",
"pattern": "(?i)/*[sx0b]*?[!+](?:[sx0b()-0-9=A-Z_a-z]+)?*/",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942540",
"name": "SQL Authentication bypass (split query)",
"pattern": "^(?:[^']*'|[^",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"paranoia-level/1",
"capec/1000/152/248/66"
]
},
{
"id": "942560",
"name": "MySQL Scientific Notation payload detected",
"pattern": "(?i)1.e(?:[(),]|.[$0-9A-Z_a-z])",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942550",
"name": "JSON-Based SQL Injection",
"pattern": "(?i)[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942120",
"name": "SQL Injection Attack: SQL Operator Detected",
"pattern": "(?i)[!=]=|&&||||->|>[=>]|<(?:[<=]|>(?:[sx0b]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942130",
"name": "SQL Injection Attack: SQL Boolean-based attack detected",
"pattern": "(?i)[sx0b",
"targets": [
"body",
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942131",
"name": "SQL Injection Attack: SQL Boolean-based attack detected",
"pattern": "(?i)[sx0b",
"targets": [
"body",
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942150",
"name": "SQL Injection Attack: SQL function name detected",
"pattern": "(?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942180",
"name": "Detects basic SQL authentication bypass attempts 1/3",
"pattern": "(?i)(?:/*)+[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942200",
"name": "Detects MySQL comment-/space-obfuscated injections and backtick termination",
"pattern": "(?i),.*?(?:[)0-9a-f](?:$|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942210",
"name": "Detects chained SQL injection attempts 1/2",
"pattern": "(?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sx0b(]+[0-9A-Z_a-z]+[sx0b)]*?[!+=]+[sx0b0-9]*?[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942260",
"name": "Detects basic SQL authentication bypass attempts 2/3",
"pattern": "(?i)[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942300",
"name": "Detects MySQL comments, conditions and ch(a)r injections",
"pattern": "(?i))[sx0b]*?when[sx0b]*?[0-9]+[sx0b]*?then|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942310",
"name": "Detects chained SQL injection attempts 2/2",
"pattern": "(?i)(?:([sx0b]*?select[sx0b]*?[0-9A-Z_a-z]+|coalesce|order[sx0b]+by[sx0b]+if[0-9A-Z_a-z]*?)[sx0b]*?(|*/from|+[sx0b]*?[0-9]+[sx0b]*?+[sx0b]*?@|[0-9A-Z_a-z][",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942330",
"name": "Detects classic SQL injection probings 1/3",
"pattern": "(?i)[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942340",
"name": "Detects basic SQL authentication bypass attempts 3/3",
"pattern": "(?i)in[sx0b]*?(+[sx0b]*?select|(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[sx0b]+|(?:|||&&)[sx0b]*?)[sx0b+0-9A-Z_a-z]+(?:regexp[sx0b]*?(|sounds[sx0b]+like[sx0b]*?[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942361",
"name": "Detects basic SQL injection based on keyword alter or union",
"pattern": "(?i:^[Wd]+s*?(?:alter|union)b)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942362",
"name": "Detects concatenated basic SQL injection and SQLLFI attempts",
"pattern": "(?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)[sx0b]?(?|end[sx0b]*?);|[sx0b(]load_file[sx0b]*?(|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942370",
"name": "Detects classic SQL injection probings 2/3",
"pattern": "(?i)[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942380",
"name": "SQL Injection Attack",
"pattern": "(?i)b(?:havingb(?:[sx0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[sx0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942390",
"name": "SQL Injection Attack",
"pattern": "(?i)b(?:orb(?:[sx0b]?(?:[0-9]{1,10}|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942400",
"name": "SQL Injection Attack",
"pattern": "(?i)bandb(?:[sx0b]+(?:[0-9]{1,10}[sx0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942410",
"name": "SQL Injection Attack",
"pattern": "(?i)b(?:a(?:(?:b|co)s|vg)|bin|c(?:(?:as|o(?:nver|un))t|h(?:ar(?:set)?|r))|d(?:a(?:te|y)|e(?:fault|grees))|elt|f(?:ield|loor|ormat)|(?:hou|quarte|yea)r|i[fns]|l(?:ast|e(?:ft|ngth)|n|ikelihood|o(?:cal|g|wer))|m(?:ax|in(?:ute)?|o(?:d|nth))|now|p(?:assword|i|o(?:sition|wer))|r(?:awtonhex(?:toraw)?|e(?:p(?:eat|lace)|verse)|ight|ound)|s(?:econd|ign|leep|pace|tddev|um)|t(?:an|ime|o_(?:n?char|(?:day|second)s))|u(?:nlikely|(?:pp|s)er)|v(?:alues|ersion)|week)[^0-9A-Z_a-z]*?(",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942470",
"name": "SQL Injection Attack",
"pattern": "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942480",
"name": "SQL Injection Attack",
"pattern": "(?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942430",
"name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)",
"pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){12})",
"targets": [
"body",
"query"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942440",
"name": "SQL Comment Sequence Detected",
"pattern": "/*!?|*/|[';]--|--(?:[sx0b]|[^-]*?-)|[^&-]#.*?[sx0b]|;?x00",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942450",
"name": "SQL Bin or Hex Encoding Identified",
"pattern": "(?i:b0x[a-fd]{3,}|x'[a-fd]{3,}'|b'[0-1]{10,}')",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942510",
"name": "SQLi bypass attempt by ticks or backticks detected",
"pattern": "(?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942520",
"name": "Detects basic SQL authentication bypass attempts 4.0/4",
"pattern": "(?i)[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942521",
"name": "Detects basic SQL authentication bypass attempts 4.1/4",
"pattern": "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942522",
"name": "Detects basic SQL authentication bypass attempts 4.1/4",
"pattern": "^.*?x5c['",
"targets": [
"body",
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942101",
"name": "SQL Injection Attack Detected via libinjection",
"pattern": "@detectSQLi",
"targets": [
"uri"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942152",
"name": "SQL Injection Attack: SQL function name detected",
"pattern": "(?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942321",
"name": "Detects MySQL and PostgreSQL stored procedure/function injections",
"pattern": "(?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942251",
"name": "Detects HAVING injections",
"pattern": "(?i)W+d*?s*?bhavingbs*?[^s-]",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942490",
"name": "Detects classic SQL injection probings 3/3",
"pattern": "[",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942420",
"name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)",
"pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){8})",
"targets": [
"headers"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942431",
"name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)",
"pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){6})",
"targets": [
"body",
"query"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942460",
"name": "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters",
"pattern": "W{4}",
"targets": [
"query"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942511",
"name": "SQLi bypass attempt by ticks detected",
"pattern": "(?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942530",
"name": "SQLi query termination detected",
"pattern": "';",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942421",
"name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)",
"pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){3})",
"targets": [
"headers"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/4",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
},
{
"id": "942432",
"name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)",
"pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){2})",
"targets": [
"body",
"query"
],
"action": "block",
"score": 5,
"severity": "medium",
"category": "sqli",
"enabled": true,
"tags": [
"attack-sqli",
"paranoia-level/4",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SQLI",
"capec/1000/152/248/66"
]
}
]
},
{
"id": "crs-session-fixation",
"name": "CRS Session Fixation",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Session Fixation (3 rules)",
"author": "OWASP CRS Project",
"priority": 10,
"enabled": true,
"rules": [
{
"id": "943100",
"name": "Possible Session Fixation Attack: Setting Cookie Values in HTML",
"pattern": "(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "session_fixation",
"enabled": true,
"tags": [
"attack-fixation",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SESSION-FIXATION",
"capec/1000/225/21/593/61"
]
},
{
"id": "943110",
"name": "Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer",
"pattern": "^(?:j(?:se(?:ssionid|rvsession)|wsession)|(?:asp(?:.net_)?session|zend_session_)id|p(?:hpsessi(?:on|d)|lay_session)|(?:(?:w(?:eblogic|l)|rack.|laravel_)sessio|(?:next-auth.session-|meteor_login_)toke)n|s(?:(?:ession[-_]?|ails.s)id|hiny-token)|_(?:session_id|(?:(?:flask|rails)_sessio|_(?:secure|host)-next-auth.session-toke)n)|c(?:f(?:s?id|token)|onnect.sid|akephp|i_session)|koa[.:]sess)$",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "session_fixation",
"enabled": true,
"tags": [
"attack-fixation",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SESSION-FIXATION",
"capec/1000/225/21/593/61"
]
},
{
"id": "943120",
"name": "Possible Session Fixation Attack: SessionID Parameter Name with No Referer",
"pattern": "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect.sid|laravel_session)$",
"targets": [
"query"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "session_fixation",
"enabled": true,
"tags": [
"attack-fixation",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-SESSION-FIXATION",
"capec/1000/225/21/593/61"
]
}
]
},
{
"id": "crs-java-attack",
"name": "CRS Java / Deserialization Attack",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Java / Deserialization Attack (13 rules)",
"author": "OWASP CRS Project",
"priority": 3,
"enabled": true,
"rules": [
{
"id": "944100",
"name": "Remote Command Execution: Suspicious Java class detected",
"pattern": "java.lang.(?:runtime|processbuilder)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/137/6"
]
},
{
"id": "944110",
"name": "Remote Command Execution: Java process spawn (CVE-2017-9805)",
"pattern": "(?:runtime|processbuilder)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944120",
"name": "Remote Command Execution: Java serialization (CVE-2015-4852)",
"pattern": "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944140",
"name": "Java Injection Attack: Java Script File Upload Found",
"pattern": ".*.(?:jsp|jspx).*$",
"targets": [
"headers"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-injection-java",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/242"
]
},
{
"id": "944150",
"name": "Potential Remote Command Execution: Log4j / Log4shell",
"pattern": "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/137/6"
]
},
{
"id": "944151",
"name": "Potential Remote Command Execution: Log4j / Log4shell",
"pattern": "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/137/6"
]
},
{
"id": "944200",
"name": "Magic bytes Detected, probable java serialization in use",
"pattern": "xacxedx00x05",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944210",
"name": "Magic bytes Detected Base64 Encoded, probable java serialization in use",
"pattern": "(?:rO0ABQ|KztAAU|Cs7QAF)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944240",
"name": "Remote Command Execution: Java serialization (CVE-2015-4852)",
"pattern": "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944250",
"name": "Remote Command Execution: Suspicious Java method detected",
"pattern": "javab.+(?:runtime|processbuilder)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944260",
"name": "Remote Command Execution: Malicious class-loading payload",
"pattern": "(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944300",
"name": "Base64 encoded string matched suspicious keyword",
"pattern": "(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/3",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/248"
]
},
{
"id": "944152",
"name": "Potential Remote Command Execution: Log4j / Log4shell",
"pattern": "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)",
"targets": [
"all"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "deserialization",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/4",
"OWASP_CRS",
"OWASP_CRS/ATTACK-JAVA",
"capec/1000/152/137/6"
]
}
]
},
{
"id": "crs-data-leakage",
"name": "CRS Data Leakage Detection",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Data Leakage Detection (3 rules)",
"author": "OWASP CRS Project",
"priority": 15,
"enabled": true,
"rules": [
{
"id": "950130",
"name": "Directory Listing",
"pattern": "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES",
"capec/1000/118/116/54/127"
]
},
{
"id": "950140",
"name": "CGI source code leakage",
"pattern": "^#!s?/",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES",
"capec/1000/118/116"
]
},
{
"id": "950100",
"name": "The Application Returned a 500-Level Status Code",
"pattern": "^5d{2}$",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES",
"capec/1000/152"
]
}
]
},
{
"id": "crs-data-leakage-sql",
"name": "CRS SQL Data Leakage",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS SQL Data Leakage (16 rules)",
"author": "OWASP CRS Project",
"priority": 15,
"enabled": true,
"rules": [
{
"id": "951110",
"name": "Microsoft Access SQL Information Leakage",
"pattern": "(?i)(?:JET|Access) Database Engine|[Microsoft][ODBC Microsoft Access Driver]",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951120",
"name": "Oracle SQL Information Leakage",
"pattern": "(?i)bORA-[0-9][0-9][0-9][0-9][0-9]:|java.sql.SQLException|Oracle(?: erro|[^()]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951130",
"name": "DB2 SQL Information Leakage",
"pattern": "(?i)DB2 SQL error|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|db2_[0-9A-Z_a-z]+()",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951140",
"name": "EMC SQL Information Leakage",
"pattern": "(?i)[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951150",
"name": "firebird SQL Information Leakage",
"pattern": "(?i)Dynamic SQL Error",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951160",
"name": "Frontbase SQL Information Leakage",
"pattern": "(?i)Exception (?:condition )?d+. Transaction rollback.",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951170",
"name": "hsqldb SQL Information Leakage",
"pattern": "(?i)org.hsqldb.jdbc",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951180",
"name": "informix SQL Information Leakage",
"pattern": "(?i)An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951190",
"name": "ingres SQL Information Leakage",
"pattern": "(?i)Warning.*ingres_|Ingres(?: SQLSTATE|[^0-9A-Z_a-z].*Driver)",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951200",
"name": "interbase SQL Information Leakage",
"pattern": "(?i)<b>Warning</b>: ibase_|Unexpected end of command in statement",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951210",
"name": "maxDB SQL Information Leakage",
"pattern": "(?i)Warning.{1,10}maxdb[():_a-z]{1,26}:",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951220",
"name": "mssql SQL Information Leakage",
"pattern": "(?i)S(?:y(?:stem.Data.(?:OleDb.OleDb|SqlClient.Sql)Except|ntax error (?:in string|.*) in query express)ion|intaxis incorrecta cerca de)|[(?:SqlException|M(?:icrosoft][ODBC SQL Server|acromedia][SQLServer JDBC) Driver])|(?:Exception.*[^0-9A-Z_a-z]System.Data.SqlClie|Conversion failed when converting the varchar value .*? to data type i)nt.|D(?:river.*SQL[ -_]*Server|ata type mismatch in criteria expression.)|Microsoft OLE DB Provider for (?:ODBC Drivers|SQL Server)|(?:(?:OLE DB.*SQL Serv|Procedure or function '.{1,128}' expects paramet)e|Incorrect syntax nea)r|Unclosed quotation mark (?:after|before) the character string|'80040e14'|(?:ADODB.Field (0x800A0BCD|mssql_query())|the used select statements have different number of columns|Warning.*mssql_.*",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951230",
"name": "mysql SQL Information Leakage",
"pattern": "(?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[()_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951240",
"name": "postgres SQL Information Leakage",
"pattern": "(?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)() [|org.postgresql.util.PSQLException):|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951250",
"name": "sqlite SQL Information Leakage",
"pattern": "(?i)Warning.*(?:sqlite_|SQLite3::)|S(?:QLite(?:/JDBCDriver|.Exception)|ystem.Data.SQLite.SQLiteException)",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
},
{
"id": "951260",
"name": "Sybase SQL Information Leakage",
"pattern": "(?i)Sybase(?: message:|.*Server message)|Warning.{2,20}sybase",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-SQL",
"capec/1000/118/116/54"
]
}
]
},
{
"id": "crs-data-leakage-java",
"name": "CRS Java Data Leakage",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Java Data Leakage (1 rules)",
"author": "OWASP CRS Project",
"priority": 15,
"enabled": true,
"rules": [
{
"id": "952110",
"name": "Java Errors",
"pattern": "(?i)b(?:java[.a-z]+E(?:xception|rror)|(?:org|com).[.a-z]+Exception|Exception in thread ",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-JAVA",
"capec/1000/118/116"
]
}
]
},
{
"id": "crs-data-leakage-php",
"name": "CRS PHP Data Leakage",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS PHP Data Leakage (3 rules)",
"author": "OWASP CRS Project",
"priority": 15,
"enabled": true,
"rules": [
{
"id": "953110",
"name": "PHP source code leakage",
"pattern": "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-PHP",
"capec/1000/118/116"
]
},
{
"id": "953120",
"name": "PHP source code leakage",
"pattern": "(?i)<?(?:=|php)?s+",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-PHP",
"capec/1000/118/116"
]
},
{
"id": "953101",
"name": "PHP Information Leakage",
"pattern": "(?i)Empty string|F(?:ile size is|reeing memory)|Header (?:name )?",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-PHP",
"capec/1000/118/116"
]
}
]
},
{
"id": "crs-data-leakage-iis",
"name": "CRS IIS Data Leakage",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS IIS Data Leakage (4 rules)",
"author": "OWASP CRS Project",
"priority": 15,
"enabled": true,
"rules": [
{
"id": "954100",
"name": "Disclosure of IIS install location",
"pattern": "(?i)[a-z]:[x5c/]inetpubb",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-IIS",
"capec/1000/118/116"
]
},
{
"id": "954110",
"name": "Application Availability Error",
"pattern": "(?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-IIS",
"capec/1000/118/116"
]
},
{
"id": "954130",
"name": "IIS Information Leakage",
"pattern": "^404$",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-IIS",
"capec/1000/118/116"
]
},
{
"id": "954101",
"name": "Disclosure of IIS install location",
"pattern": "(?i)[x5c/]inetpubb",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-IIS",
"capec/1000/118/116"
]
}
]
},
{
"id": "crs-web-shells",
"name": "CRS Web Shell Detection",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Web Shell Detection (23 rules)",
"author": "OWASP CRS Project",
"priority": 3,
"enabled": true,
"rules": [
{
"id": "955110",
"name": "r57 web shell",
"pattern": "<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955120",
"name": "WSO web shell",
"pattern": "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955130",
"name": "b4tm4n web shell",
"pattern": "B4TM4N SH3LL</title>[^<]*<meta name='author' content='k4mpr3t'/>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955140",
"name": "Mini Shell web shell",
"pattern": "<title>Mini Shell</title>[^D]*Developed By LameHacker",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955150",
"name": "Ashiyane web shell",
"pattern": "<title>.:: [^~]*~ Ashiyane V [0-9.]+ ::.</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955160",
"name": "Symlink_Sa web shell",
"pattern": "<title>Symlink_Sa [0-9.]+</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955170",
"name": "CasuS web shell",
"pattern": "<title>CasuS [0-9.]+ by MafiABoY</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955180",
"name": "GRP WebShell",
"pattern": "^<html>rn<head>rn<title>GRP WebShell [0-9.]+ ",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955190",
"name": "NGHshell web shell",
"pattern": "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955200",
"name": "SimAttacker web shell",
"pattern": "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - ",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955210",
"name": "Unknown web shell",
"pattern": "^<!DOCTYPE html>n<html>n<!-- By Artyum [^<]*<title>Web Shell</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955220",
"name": "lama",
"pattern": "<title>lama's'hell v. [0-9.]+</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955230",
"name": "lostDC web shell",
"pattern": "^ *<html>n[ ]+<head>n[ ]+<title>lostDC - ",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955240",
"name": "Unknown web shell",
"pattern": "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955250",
"name": "Unknown web shell",
"pattern": "^<html>n<head>n<div align=",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955260",
"name": "Ru24PostWebShell web shell",
"pattern": "^<html>n<head>n<title>Ru24PostWebShell ",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955270",
"name": "s72 Shell web shell",
"pattern": "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955280",
"name": "PhpSpy web shell",
"pattern": "^<html>rn<head>rn<meta http-equiv=",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955290",
"name": "g00nshell web shell",
"pattern": "^ <html>nn<head>nn<title>g00nshell v[0-9.]+ ",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955310",
"name": "azrail web shell",
"pattern": "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955320",
"name": "SmEvK_PaThAn Shell web shell",
"pattern": ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955330",
"name": "Shell I web shell",
"pattern": "^<html>n<title>[^~]*~ Shell I</title>n<head>n<style>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
},
{
"id": "955340",
"name": "b374k m1n1 web shell",
"pattern": "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>",
"targets": [
"body"
],
"action": "block",
"score": 10,
"severity": "critical",
"category": "rce",
"enabled": true,
"tags": [
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/WEB-SHELLS",
"capec/1000/225/122/17/650"
]
}
]
},
{
"id": "crs-data-leakage-ruby",
"name": "CRS Ruby Data Leakage",
"version": "4.24.0",
"source": "owasp-crs",
"description": "OWASP CRS v4.24.0 — CRS Ruby Data Leakage (1 rules)",
"author": "OWASP CRS Project",
"priority": 15,
"enabled": true,
"rules": [
{
"id": "956110",
"name": "Ruby source code leakage",
"pattern": "(?i)(?:<%[=#s]|#{[^}]+})",
"targets": [
"body"
],
"action": "block",
"score": 8,
"severity": "high",
"category": "data_leakage",
"enabled": true,
"tags": [
"attack-disclosure",
"paranoia-level/2",
"OWASP_CRS",
"OWASP_CRS/DATA-LEAKAGES-RUBY",
"capec/1000/118/116"
]
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink